b'Review of the SEC\xe2\x80\x99s Continuity of\nOperations Program\n\n\n\n\n                                                     April 23, 2012\n                                                     Report No. 502\n\nReview Conducted by TWM Associates, Inc.\n\n                           REDACTED PUBLIC VERSION\n\x0cReview of the SEC\xe2\x80\x99s Continuity of Operations Program   April 23, 2012\nReport No. 502\n                                      i\n                           REDACTED PUBLIC VERSION\n\x0cShould you have any questions regarding this report, please do not hesitate to\ncontact me, or the Acting Deputy Inspector General, Jacqueline Wilson at 1-\n6326.\n\nWe appreciate the courtesy and cooperation that you and your staff extended to\nour contractor during this review.\n\nAttachment\n\ncc:    James Burns, Deputy Chief of Staff, Office of the Chairman\n       Luis A. Aguilar, Commissioner\n       Troy A. Paredes, Commissioner\n       Elisse Walter, Commissioner\n       Daniel Gallagher, Commissioner\n       Lacey Dingman, Director, Office of Human Resources\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                 April 23, 2012\nReport No. 502\n                                      ii\n                           REDACTED PUBLIC VERSION\n\x0cReview of the SEC\xe2\x80\x99s Continuity of\nOperations Program\n\n                              Executive Summary\nBackground. The U.S. Securities and Exchange Commission (SEC or\nCommission) Office of Inspector General (OIG) contracted the professional\nservices of TWM Associates, Inc. (TWM) to conduct a review of the SEC\xe2\x80\x99s\nContinuity of Operations Program (COOP).\n\nA Continuity of Operations Program (COOP), including the Business Continuity\nPlanning (BCP) and Disaster Recovery Plan (DRP), are essential to an\norganization maintaining its critical operations when unforeseen disruptions or\ninterruptions occur that may affect the organization\xe2\x80\x99s normal operations. All\nfederal agencies are required to have viable programs and plans in place to\nensure they are able to continue to perform critical functions during an\nemergency. An agency\xe2\x80\x99s COOP plan focuses on restoring the organization\xe2\x80\x99s\nMission Essential Functions at an alternate site and performing those functions\nfor up to 30 days before returning to normal operations. Additional functions, or\nthose performed at a field office level, may be addressed by the BCP. \xe2\x80\x9cMinor\nthreats or disruptions that do not require relocation to an alternate site are\ntypically not addressed in a COOP plan.\xe2\x80\x9d 1 Standard elements of a COOP plan\ninclude: program plans and procedures; continuity communications; risk\nmanagement; vital records management; budgeting and acquisition of resources;\nhuman capital; essential functions; test, training, and exercise; order of\nsuccession; devolution; delegation of authority; reconstitution; and continuity\nfacilities. COOP plans are specific types of plans that should not be confused\nwith BCPs, DRP, or Information System Contingency Plans (ISCP).\n\nThe Office of the Chief Operating Officer, Chief Operating Officer (COO)\nassumed overall responsibility for overseeing the SEC\xe2\x80\x99s agency-wide COOP in\n2011, when the former Executive Director left the SEC and these duties were\ntransferred to the COO. Specifically, the Office of Freedom of Information Act,\nRecords Management, and Security\xe2\x80\x99s (OFRMS), which reports to the COO,\nOffice of Security Services (OSS), has been responsible for developing and\nmanaging the SEC\xe2\x80\x99s COOP since July 2011.\n\nThe SEC\xe2\x80\x99s regional offices and Office of Information Technology (OIT) also play\nsupporting roles in the COOP process. Regional office directors are responsible\nfor updating their COOP plan supplements. OIT has various functions\n\n1\n NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010, page 8,\nsection 2.2.2.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                   April 23, 2012\nReport No. 502\n                                        iii\n                              REDACTED PUBLIC VERSION\n\x0ccomplementary to COOP processes and is responsible for developing and\nmanaging the technology processes for the SEC\xe2\x80\x99s business continuity\nmanagement structure. OIT is also responsible for the SEC\xe2\x80\x99s DRP and must be\nable to recover its full main infrastructure in the event of a disaster. Further, the\nresponsibilities associated with the DRP are overseen by the Commission\xe2\x80\x99s Chief\nInformation Officer.\n\nThe SEC has a COOP and some related COOP policies and procedures and the\nSEC periodically conducts testing of the COOP plan. In addition, there is an\noverall OIT contingency plan (e.g., the ISCP for the general support system) and\nindividual Headquarters division and office COOP plan documents. Further,\nDRPs and business impact analysis (BIA) are prepared for individual systems,\nand each regional office has a DRP for its office infrastructure that complements\nthe Headquarters\xe2\x80\x99 base DRP for regional offices.\n\nFurther, the SEC\xe2\x80\x99s COOP plan identifies essential personnel, vital records, lines\nof succession and other required information. The SEC has identified\nessential personnel under its COOP plan and it has established relocation sites\nfor\n\n                                                    The overall Commission\nCOOP plan document was updated April 2008 and April 2010, and the most\nrecent version is a draft dated October 2011. SEC\xe2\x80\x99s Headquarters\ndivisions/office\xe2\x80\x99s COOP plans and the regional office\xe2\x80\x99s COOP supplements have\nvarious dates, some of which are outdated.\n\nIn addition to its 2010 COOP plan, the SEC has a separate pandemic influenza\npreparedness plan (pandemic plan), which incorporates the COOP plan. The\nSEC\xe2\x80\x99s pandemic plan focuses on protecting the health of SEC employees, while\nmaintaining agency operations during a pandemic. 2\n\nObjectives. The overall objective of TWM\xe2\x80\x99s review was to determine whether\nthe SEC had a viable COOP, BCP, and DRP that sufficiently supported its\noperations at its Headquarters, Operations Center, and 11 regional offices.\nFurther, the review sought to determine if the Commission is adequately\nprepared to perform essential functions during business continuity or disaster\nrecovery event resulting from human/natural disasters, national emergency, or\ntechnological events which could impact the Commission\xe2\x80\x99s ability to continue\nmission-critical and essential functions. The sub-objectives for the review were\nto:\n\n\n\n2\n \xe2\x80\x9cA pandemic occurs when a novel strain of influenza virus emerges that has the ability to infect and be\npassed between humans. Because humans have little immunity to the new virus, a worldwide epidemic, or\npandemic can ensue.\xe2\x80\x9d National Strategy for Pandemic Influenza Implementation Plan, May 2006, page 1.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                      April 23, 2012\nReport No. 502\n                                         iv\n                               REDACTED PUBLIC VERSION\n\x0c   \xe2\x80\xa2   Evaluate the Commission\xe2\x80\x99s pandemic plan to ensure it is formal,\n       documented, well-communicated, has been tested at regular\n       intervals, and meets the objectives of the National Strategy for\n       Pandemic Influenza: Implementation;\n   \xe2\x80\xa2   Assess the Commission\xe2\x80\x99s implementation and testing of its\n       pandemic plan;\n   \xe2\x80\xa2   Determine the Commission\xe2\x80\x99s plans for protecting its employees and\n       contractors during a pandemic occurrence; and\n   \xe2\x80\xa2   Evaluate the Commission\xe2\x80\x99s plans for sustaining essential functions\n       during high rates of employee absenteeism.\n\nResults. Our review found that while the SEC does have a COOP function and\nplan (including relocation sites and testing) in place, the program needs to be\nimproved. In particular, the SEC\xe2\x80\x99s COOP policies, directives and documents are\nout-of-date and incomplete, are not comprehensive and are not currently being\nfollowed in some respects. However, since assuming agency-wide responsibility\nfor the COOP Program, the COO directed OFRMS/OSS to perform a thorough\nreview of the SEC\xe2\x80\x99s entire COOP program. In addition, after the conclusion of our\nfieldwork for this review we were informed and confirmed that the OSS issued a\nstatement of work to hire a contractor to provide support to the SEC\xe2\x80\x99s COOP and\nto assist in addressing deficiencies OIG identified in this report and OSS\xe2\x80\x99s\ninternal COOP assessment.\n\nThe SEC\xe2\x80\x99s draft COOP plan states that the divisions, offices, and regional offices\nare required to report any changes to their supplemental plans to the COO. We\nfound, however, that supplemental plans are not being updated and two regional\noffices did not have supplemental COOP plans. Further, we found that essential\npersonnel information in the COOP supplements has not been properly\nmaintained and were not up-to-date. In addition, while the overall COOP plan\nreferenced key SEC personnel who comprise the vital records information for the\nregional offices and Headquarters divisions and offices, it was incomplete and\noutdated.\n\nOur review further identified deficiencies with the DRPs for individual systems,\nand we found that that the SEC does not prepare BCPs or ISCPs for its\ninformation systems. While OIT stated that BCPs and ISCPs are unnecessary\nbecause the components of these documents are included in the DRPs and BIAs\nfor these systems, we found that some BCP elements were missing.\n\nAdditionally, our review identified instances in which information feeds and power\ndistribution throughout the SEC\xe2\x80\x99s network could fail if a disruption were to occur.\nSpecifically, we found that the information data feeds for the SEC\xe2\x80\x99s\n         are currently available only through connections to the SEC network and\nthat the data would, therefore, be unavailable if the                        were\nincapacitated. We also identified power issues at the\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                   April 23, 2012\nReport No. 502\n                                      v\n                           REDACTED PUBLIC VERSION\n\x0cWe also uncovered inconsistencies between the categorization of the systems\nthat were reported to Office of Management and Budget under Federal\nInformation Security Management Act (FISMA), and the recovery time objectives\nestablished for SEC COOP systems. For FISMA reportable systems with a\nmoderate to low rated availability, the SEC COOP established recovery time\nobjectives may be overly aggressive and could result in unnecessary expense in\ndocumentation, testing, and infrastructure.\n\nIn addition, we found SEC systems with a recovery time objective of\nwhich was inconsistent with the COOP documentation for these systems and the\nFISMA availability categorization of the systems.\n\nFurther we found that improvements were needed in the processes for\nrecovering data from              and related testing. Specifically,\n\n\n                                                                       In addition, the\ncurrent             and data restoration processes are insufficient. The SEC\n\n\n\n\nBased upon a review of COOP documents including those found\n                                          we identified essential personnel who no\nlonger worked at the SEC, some essential personnel have not been issued\nremote access devices and/or tested the devices they were issued. 3 Further,\nsome essential personnel that were issued                    never logged in or have\nnot logged in remotely within the past year and, therefore, have not effectively\ntested their ability to log in during an unscheduled event using this remote access\nmethod.\n\nWe also found that remote access capabilities would be enhanced if remote\naccess to desktop applications could function even if the user\xe2\x80\x99s desktop\ncomputer was turned off or did not have power. The SEC has a pandemic plan\nand its remote access capabilities infrastructure appear to be adequate for this\npurpose.\n\n\n3\n\nmatters and is designed to provide SEC divisions/offices with the capability to customize their COOP\ninformation across a variety of categories. The                     Word files, Excel spreadsheets and pdf\nfiles that may be accessed and updated by individuals who have access to the site.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                        April 23, 2012\nReport No. 502\n                                          vi\n                                REDACTED PUBLIC VERSION\n\x0cThe DRPs for several regional offices have not been tested annually, and two\nregional offices did not include recovery phase testing in their latest disaster\nrecovery test plans. Also seven regional offices did not include reconstitution\nphase testing in their most recent disaster recovery test plans. Further, we found\nthat the regional offices did not test any element (e.g., a file or data record) from\nthe system\xe2\x80\x99s                  for systems that had overall moderate rating under\nFISMA.\n\nSEC division/office heads select essential personnel based on certain written\nfactors and designated        individuals as essential. Though the SEC indicated in\nits OIT contingency plan that COOP and disaster recovery testing exercise\nparticipation satisfies the requirement to ensure a trained workforce is available\nto support the SEC\xe2\x80\x99s mission critical functions during and following a disaster,\nour review revealed that only            (3.1 percent) of persons identified as\nessential personnel under the COOP actually attended the exercise. Further, our\nreview found the SEC did not have a sufficient level of participation by regional\noffice essential personnel in its disaster recovery testing to ensure they were\nadequately trained.\n\nWe were informed that equipment at the SEC\xe2\x80\x99s devolution sites were out-of-date\nand could not be used with SEC\xe2\x80\x99s network, due to unresolved security issues.\nFurther, the SEC\xe2\x80\x99s COOP plan indicates there are          workstations/work areas\navailable at the SEC\xe2\x80\x99s Operations Center location, where emergency response\npersonnel are to relocate in the event of an emergency. However, our review\nfound a total of      vacant seats (not vacant offices) in the entire building.\nTherefore, COOP plan documentation on space availability needs to be revised\nto reflect current space availability and needs, taking into account the potential\nfor telework and remote access.\n\nThe SEC performs DRP testing for each regional office infrastructure and\nindividual system applications. All of the regional office\xe2\x80\x99s DRPs state that\nPOA&Ms will be created. Our review found 39.5 percent of the\nrecommendations generated during the regional office DRP testing could not be\ntracked to any POA&M and was not identified as having been resolved in the\nupdated DRPs (dates ranging from 2010 to 2011). Further, we found that at\nleast two items identified in the annual Headquarters COOP testing that should\nhave been included as POA&M items (submission of filings gap during testing of\nTestimony Tracking System, and order of startup for production servers on\nBusiness Objective 11 system). We also found that eight regional offices have\nnot updated their DRPs to include recommendations that were identified in DRP\ntesting.\n\nThe SEC has chosen to eliminate the BCP, indicating that the elements in the\nBCP are already contained in the DRP and BIAs. As a consequence, the SEC\xe2\x80\x99s\nDRP exercises are primarily viewed as information technology exercises. As\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                     April 23, 2012\nReport No. 502\n                                     vii\n                           REDACTED PUBLIC VERSION\n\x0ctraining and exercises cover the same topics, the SEC uses exercises to satisfy\nits training requirement in an effort to reduce the number of hours that are\ndevoted to these activities. We also found that the SEC used the participation in\nregional office DRP exercises to satisfy its requirement to train essential\npersonnel both for the COOP plan and DRP. Our testing revealed that between\n2008 and 2011, an average of 88 percent of regional office identified essential\npersonnel did not participate in DRP training or exercises. This indicates that the\nregional offices essential personnel may not have been sufficiently trained in their\nroles and responsibilities during a disaster recovery event. As a consequence,\nessential personnel may not be able to perform their responsibilities during the\nactivation of a DRP.\n\nFinally, we found that while OIT personnel regularly participate in DRP exercises,\nmany key essential personnel do not participate in these exercises and have not\nreceived the appropriate role-based training for their part in DRP and COOP\nactivities. Instead, in the past these personnel have only received the annual\nrefresher, online training course.\n\nRecommendations. Based on the results of our review we made the following\nrecommendations:\n\n          (1) The Office of the Chief Operating Officer should ensure that the\n              OFRMS completes its review of the agency-wide COOP to ensure\n              the Commission\xe2\x80\x99s COOP is comprehensive, cohesive, and in\n              compliance with federal guidance.\n\n          (2) OFRMS should revise and update the Commission\xe2\x80\x99s continuity of\n              operations program policies and procedures to ensure they are\n              comprehensive, complete, and up-to-date.\n\n          (3) OFRMS and OIT, in conjunction with the program divisions/offices\n              and regional offices, should update, revise and finalize all COOP\n              documents, including the overall Headquarters COOP plan,\n              individual division/office COOP plans, regional office COOP\n              supplements, disaster recovery plans, business continuity plans and\n              business impact analyses, and pandemic plans supplements.\n              OFRMS and OIT should ensure these documents are complete and\n              include all the necessary elements, and that they properly define the\n              Commission\xe2\x80\x99s essential functions. In addition, processes should be\n              implemented to ensure annual review and approval of these\n              documents.\n\n          (4) OFRMS, in conjunction with program and regional offices, should\n              ensure that vital records and lines of succession are properly\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                    April 23, 2012\nReport No. 502\n                                     viii\n                           REDACTED PUBLIC VERSION\n\x0c              identified, documented and readily available during continuity\n              events.\n\n          (5) OIT, in conjunction with the primary program information users,\n              should identify\n                                                   at the alternate locations should\n                             be unavailable. Further, OIT should review the SEC\xe2\x80\x99s\n              network and topology to ensure there are\n\n\n          (6) OIT should ensure proper power distribution throughout the network\n\n\n\n\n          (7) OFRMS, in conjunction with the OIT and system owners, should\n              revise the SEC system recovery time objectives to specify more\n              realistic timeframes, based on the ability to transition to the alternate\n              site, and then determine acceptable recovery times. The recovery\n              plan and priority of recovery of the systems should be based on the\n              overall mission of the agency with a focus on real-time monitoring of\n              the markets. Further, the identification of high priority systems\n              should focus on the immediate mission of the agency, and systems\n              documentation should also be reviewed to ensure proper recovery\n              priority is reflected based on the contribution to the SEC\xe2\x80\x99s mission\n              and functions.\n\n          (8) For underutilized systems such as the\n                                  the Office of Information Technology should\n              consider discontinuing maintenance, retiring the system, or\n              alternatively making more robust use of the system such that\n              additional Commission funds are not wasted on underutilized\n              systems.\n\n          (9) OIT, in conjunction with system owners, should identify the\n              requirements (e.g., files, data, and system software) for all systems\n              (at minimum, Federal Information Security Management Act\n              reportable systems). OIT should ensure that            requirements\n              are documented, understood by the owner, and published for future\n              reference. Further, OIT should ensure system software licenses\n              and key requirements are included in           documentation, and\n              the location of this information is known to ensure restoration\n              capability at the alternate location site.\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                      April 23, 2012\nReport No. 502\n                                     ix\n                           REDACTED PUBLIC VERSION\n\x0c          (10) OIT, in conjunction with the regional offices, should document the\n             processes and procedures to be used in the event that a regional\n             office needs to restore its systems at a regional office transition site,\n             and the corresponding effect on the            procedures for other\n             regional offices that may need to use a regional office transition site\n             or alternate method to ensure recoverability.\n\n          (11) OIT should continue its efforts to replace the regional office\xe2\x80\x99s tape\n                     systems. Additionally, OIT should define a              and\n             recovery strategy for multi-hosted application restoration for the\n             regional offices. OIT should also document the system specific files\n             and database items, in order to facilitate the ability to restore only\n             necessary items, rather than the entire database, which could take\n             many hours to accomplish and is not in line with the recovery time\n             objectives for individual systems.\n\n          (12) OIT should implement consistent and appropriate\n             schedules for mission essential and Federal Information System\n             Management Act reportable systems, including daily, weekly, and\n             monthly          processes and procedures, to ensure these\n             systems are recoverable.\n\n          (13) OIT should include in the Disaster Recovery Plan and Business\n             Continuity Plan, testing steps that are designed to ensure the\n             restoration from                 that is consistent with the\n             requirements for systems that are rated as moderate, in accordance\n             with the National Institute of Standards and Technology guidance\n             under the Federal Information Systems Management Act.\n\n          (14) OIT should ensure that remote access testing is included as part of\n             all Continuity of Operations Program, disaster recovery and\n             pandemic testing activities, including those performed in the regional\n             offices, to ensure that essential personnel and a sample of the\n             representative users of the system are able to function remotely\n             during an unscheduled event.\n\n          (15) OIT, in consultation with the OFRMS, should require semi-annual\n             testing of remote access devices to ensure up-to-date connectivity\n             and ability for both essential personnel and non-essential personnel\n             to access the Commission\xe2\x80\x99s network. In addition, OIT and OFRMS\n             should implement a system notification warning prior to the\n             connectivity testing date and then disable those devices that are not\n             updated.\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                      April 23, 2012\nReport No. 502\n                                      x\n                           REDACTED PUBLIC VERSION\n\x0c          (16) OFRMS and OIT should consider implementation of alternate\n             remote access solutions and/or internal directory structure\n\n                                                   and Federal Information\n              Security Management Act reportable systems.\n\n          (17) OFRMS and OIT should update the COOP documents and\n             necessary agreements to appropriately reflect authorized telework\n             activities by Commission personnel during unscheduled events\n             under the COOP, disaster recovery and pandemic plans, including\n             equipment that will be used for teleworking in such circumstances.\n\n          (18) OFRMS and OIT should ensure that the agency\xe2\x80\x99s disaster recovery\n             testing includes the Commissions mission essential and Federal\n             Information Security Management Act reportable systems and\n             pandemic plan testing is conducted on a regular basis.\n\n          (19) OIT should determine aspects of continuity of operations disaster\n             recovery and business continuity plan testing that should be\n             conducted annually for regional offices and for Federal Information\n             Security Management Act reportable systems based upon their\n             security categorization. OIT should ensure that this testing includes\n             the recovery phase and the reconstitution phase, as well as a\n             restoration from\n\n          (20) OIT should add elements to contracts and service level agreements\n             for externally hosted systems to provide appropriate methods by\n             which the SEC can obtain assurance that appropriate disaster\n             recovery plan testing is performed on mission essential and Federal\n             Information Security Management Act reportable systems and to\n             ensure the systems are able to function during unscheduled events.\n             Such measures may include SEC participation in the disaster\n             recovery plan testing for the externally hosted systems and/or a\n             review of the results of such testing.\n\n          (21) OIT should include elements of testing from an alternate site in the\n             regional office continuity of operations program, disaster recovery,\n             and business continuity plan testing on a periodic basis to ensure\n             the necessary capability and functionality for regional office activities\n             are in place.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                      April 23, 2012\nReport No. 502\n                                     xi\n                           REDACTED PUBLIC VERSION\n\x0c          (22) OFRMS and OIT should include designated essential personnel for\n             systems, divisions/offices, and regional offices in COOP and\n             disaster recovery testing to ensure that a trained workforce is\n             available to support the SEC\xe2\x80\x99s mission critical functions following a\n             disaster.\n\n          (23) OIT should ensure that system specific scripts and test scenarios\n             are included in the disaster recovery and business continuity plan\n             testing activities to provide assurance of system functionality at\n             alternate locations.\n\n          (24) OFRMS and OIT should reassess the definition of essential\n             personnel to ensure that this designation includes only personnel\n             whose services are needed during an event to establish mission\n             essential system connectivity and conduct essential activities until\n             normal operations are resumed. OFRMS and OIT should also\n             develop policies and procedures to ensure that elevated\n             communication cards are distributed only to necessary personnel,\n             cards are disabled upon an employee\xe2\x80\x99s departure from the agency,\n             and all essential personnel have appropriate elevated\n             communication cards.\n\n          (25) OFRMS, in conjunction with the regional offices, should specify\n             alternate work locations for which the necessary logistics, such as\n             memoranda of agreement, service level agreements, or credit card\n             limits for hotel conference rooms or other locations, are arranged in\n             advance.\n\n          (26) OFRMS should categorize essential personnel according to\n             necessary functions, based on various realistic scenarios (such as\n             Headquarters or Operations Center locations becoming inaccessible\n             or not operational, including traffic conditions that would affect the\n             scenario). Possible categories include personnel required for\n             immediate activities, personnel needed to establish connections at\n             the alternate site, and personnel needed to work remotely at\n             designated alternate sites such as their homes, hotels, or other\n             specified locations.\n\n          (27) OFRMS, as part of its planning efforts, should specify when\n             Commission personnel are to telework after an event and when they\n             must go to the designated alternate locations instead of teleworking.\n\n          (28) OFRMS and OIT should define migration paths from\n                     should it become inaccessible and specify where the\n             alternate worksite locations for\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                   April 23, 2012\nReport No. 502\n                                     xii\n                           REDACTED PUBLIC VERSION\n\x0c          (29) OFRMS and OIT should ensure that the designated Headquarters\n             alternate worksites are ready for use and contain sufficient\n             equipment and technology resources. In addition, COOP plan\n             documentation should be revised to reflect current space availability\n             and needs, taking into account the potential for telework and remote\n             access.\n\n          (30) OFRMS and OIT should ensure that designated alternate worksite\n             locations are visited and tested periodically to ensure ready access\n             and use. Appropriate steps should be taken to ensure that any\n             cards or badges required for entry to alternate worksite locations are\n             kept up to date and have not expired.\n\n          (31) OIT should reinforce the need for SEC personnel and contractors to\n             register in the agency\xe2\x80\x99s emergency notification system, which is\n             designated as the primary method of notifying employees during a\n             continuity of operations or pandemic event. OIT should also\n             implement procedures to ensure the removal of personnel from the\n             emergency notification system after they leave the SEC.\n\n          (32) OFRMS and OIT should clearly define in the continuity of\n             operations, disaster recovery, and business continuity plan\n             documentation the alternate worksite or telework locations for both\n             essential and non-essential personnel. This documentation should\n             also clarify whether; when relocating to an alternate site is required,\n             family members may accompany Commission employees and\n             contractors to the relocation site, consistent with federal regulations.\n\n          (33) OFRMS and OIT should ensure that recommendations made as a\n             result of the continuity of operations, disaster recovery, business\n             continuity and pandemic testing are included in a management\n             corrective action plan (CAP) and is maintained in the CAP until it is\n             resolved.\n\n          (34) OIT should ensure that open POA&M items from previous years\n             are evaluated by management and final corrective actions are\n             implemented to close the items.\n\n          (35) OFRMS and OIT should ensure that continuity of operations,\n             disaster recovery, and business continuity plan training occur prior\n             to annual tests exercises or events as recommended by NIST\n             Special Publication 800-84, Guide to Test, Training, and Exercise\n             Programs for Information Technology Plans and Capabilities, in\n             order to ensure that individuals are prepared for their specific roles\n             during a disaster recovery event.\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                     April 23, 2012\nReport No. 502\n                                     xiii\n                           REDACTED PUBLIC VERSION\n\x0c          (36) OFRMS, in conjunction with the OHR, OIT, and the various\n             divisions and offices, should consider, consistent with federal\n             personnel regulations, if there is the ability to cross-train regional\n             office personnel in functions that are performed exclusively at the\n             Commission Headquarters and regional offices and, if so, should\n             define these functions and implement procedures for cross-training\n             personnel for mission essential functions in the case of a COOP or\n             pandemic event.\n\n          (37) OFRMS and OIT, in conjunction with the OAS and OGC, should\n             document that the necessary contractual agreements and/or\n             provisions are in place to ensure the availability of hardware,\n             software, and services that may be required during an emergency.\n             The use of government credit cards to procure such equipment and\n             services should also be considered and documented. If government\n             credit cards are to be used for this purpose, the authorized limits\n             established should be sufficient for such purchases.\n\n          (38) OFRMS and OIT, in conjunction with the regional offices, OAS,\n             OFM, and OGC, should ensure that an appropriate and updated\n             Memoranda of Agreement, Memoranda of Understanding and\n             Service-Level Agreements are executed to provide for alternate\n             work site locations, capabilities, and accommodations that may be\n             necessary to ensure continuity of operations.\n\nOFRMS and OIT fully concurred with all the recommendations in this report that\nwere addressed to their respective offices.\n\nThe full version of this report includes information that the SEC considers to be\nsensitive or proprietary. To create this public version of the report, OIG redacted\n(blacked out) potentially sensitive, proprietary information from the report.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                    April 23, 2012\nReport No. 502\n                                     xiv\n                           REDACTED PUBLIC VERSION\n\x0cTABLE OF CONTENTS\nExecutive Summary ......................................................................................................iii\n\nTable of Contents ....................................................................................................... xv\n\nBackground and Objectives .................................................................................. 1\n     Background ....................................................................................................... 1\n     Objectives ........................................................................................................ 10\n\nFindings and Recommendations ........................................................................ 11\n     Finding 1: SEC\xe2\x80\x99s COOP Policies, Procedures and Documents Require\n     Updating, More Cohesiveness, and Inclusion of Missing Elements ................. 11\n                  Recommendation 1..................................................................... 18\n                  Recommendation 2..................................................................... 18\n                  Recommendation 3..................................................................... 19\n                  Recommendation 4..................................................................... 19\n\n         Finding 2: Network Weaknesses Could Affect the SEC\xe2\x80\x99s Continuity of\n         Operations and Disaster Recovery Plans......................................................... 20\n                      Recommendation 5..................................................................... 21\n                      Recommendation 6..................................................................... 21\n\n         Finding 3: The COOP Systems\xe2\x80\x99 Availability Categorization and Utilization\n         Should be Reviewed ........................................................................................ 22\n                      Recommendation 7..................................................................... 24\n                      Recommendation 8..................................................................... 24\n\n         Finding 4: Improvements Are Needed in Recovery from\n         and Related Testing ......................................................................................... 25\n                      Recommendation 9..................................................................... 28\n                      Recommendation 10................................................................... 29\n                      Recommendation 11................................................................... 29\n                      Recommendation 12................................................................... 29\n                      Recommendation 13................................................................... 30\n\n         Finding 5: Remote Access/Telework Testing Was Not Included in the\n         SEC\xe2\x80\x99s DRP and Pandemic Plan Testing .......................................................... 30\n                      Recommendation 14................................................................... 33\n                      Recommendation 15................................................................... 34\n                      Recommendation 16................................................................... 34\n                      Recommendation 17................................................................... 34\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                                April 23, 2012\nReport No. 502\n                                             xv\n                                   REDACTED PUBLIC VERSION\n\x0c       Finding 6: COOP and Disaster Recovery Testing Activities Can Be\n       Improved .......................................................................................................... 35\n                      Recommendation 18................................................................... 39\n                      Recommendation 19................................................................... 40\n                      Recommendation 20................................................................... 40\n                      Recommendation 21................................................................... 40\n                      Recommendation 22................................................................... 41\n                      Recommendation 23................................................................... 41\n                      Recommendation 24................................................................... 41\n\n       Finding 7: Alternate Work Locations Need to Be Realistic, Maintained in a\n       Ready State, and Communicated to Staff ........................................................ 42\n                     Recommendation 25................................................................... 45\n                     Recommendation 26................................................................... 46\n                     Recommendation 27................................................................... 46\n                     Recommendation 28................................................................... 46\n                     Recommendation 29................................................................... 47\n                     Recommendation 30................................................................... 47\n                     Recommendation 31................................................................... 47\n                     Recommendation 32................................................................... 48\n\n       Finding 8: Plans of Action and Milestones (POA&M) Need to Be\n       Complete and Up-to-Date ................................................................................ 48\n                    Recommendation 33................................................................... 49\n                    Recommendation 34................................................................... 50\n\n       Finding 9: Additional Training and Cross-Training of COOP Personnel is\n       Required........................................................................................................... 50\n                      Recommendation 35................................................................... 52\n                      Recommendation 36................................................................... 53\n\n       Finding 10: Necessary Memoranda of Agreement, Memoranda of\n       Understanding, and Service-Level Agreements Were Not Present or Are\n       Outdated .......................................................................................................... 53\n                      Recommendation 37................................................................... 55\n                      Recommendation 38................................................................... 56\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                                April 23, 2012\nReport No. 502\n                                           xvi\n                                 REDACTED PUBLIC VERSION\n\x0cAppendices\n    Appendix I: Abbreviations................................................................................ 57\n    Appendix II: List of Issues Identified in Review of Disaster Recovery and\n    Continuity of Operations Plans ......................................................................... 58\n    Appendix III: List of Issues Identified from Sample Testing of System\n    Disaster Recovery Plan and Business Impact Analysis Documents ................ 61\n    Appendix IV: Scope and Methodology ............................................................ 64\n    Appendix V: Criteria ........................................................................................ 66\n    Appendix VI: List of Recommendations .......................................................... 68\n    Appendix VII: Management Comments........................................................... 77\n    Appendix VIII: OIG Response to Management\xe2\x80\x99s Comments........................... 86\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                         April 23, 2012\nReport No. 502\n                                          xvii\n                                REDACTED PUBLIC VERSION\n\x0c                    Background and Objectives\n\nBackground\nBased on the Office of Inspector General\xe2\x80\x99s (OIG) annual audit plan, the OIG\ncontracted the professional services of TWM Associates, Inc. (TWM) to conduct\na review of the SEC\xe2\x80\x99s Continuity of Operations Program (COOP).\n\nAll federal agencies are required to have viable programs and plans in place to\nensure they are able to continue to perform critical functions during an\nemergency. Specifically, Federal Continuity Directive 1 (FCD 1), Federal\nExecutive Branch National Continuity Program and Requirements, \xe2\x80\x9cprovides\ndirection to the Federal executive branch for developing continuity plans and\nprograms\xe2\x80\x9d and provides that \xe2\x80\x9c[c]ontinuity requirements must be incorporated into\nthe daily operations of all agencies to ensure seamless and immediate\ncontinuation of Primary Mission Essential Function (PMEF) capabilities so that\ncritical government functions and services remain available to the Nation\xe2\x80\x99s\ncitizens.\xe2\x80\x9d 4\n\nFCD 1 states, \xe2\x80\x9cIn support of this policy, the Federal executive branch has\ndeveloped and implemented a continuity program which is composed of efforts\nwithin individual agencies to ensure that their Mission Essential Functions (MEF)\ncontinue to be performed during a wide range of emergencies, including localized\nacts of nature, accidents, and technological or attack-related emergencies.\xe2\x80\x9d5\nFCD 1 also states, \xe2\x80\x9cAll agencies, regardless of their size or location, shall have in\nplace a viable continuity capability to ensure continued performance of their\nagency\xe2\x80\x99s essential functions under all conditions.\xe2\x80\x9d 6 Federal Continuity Directive\n2 (FCD 2), Federal Executive Branch Mission Essential Function and Primary\nMission Essential Function Identification and Submission Process, provides\nguidance and direction to federal agencies in identifying their MEFs and potential\nPMEFs, and provides that \xe2\x80\x9c[a]n agency should carefully review all of its missions\nand functions before determining those that are essential.\xe2\x80\x9d 7\n\nFederal Requirements for COOP Plans and Related Documents\nAn agency\xe2\x80\x99s COOP plan focuses on restoring the organization\xe2\x80\x99s MEFs at an\nalternate site and performing those functions for up to 30 days before returning to\nnormal operations. Additional functions, or those performed at a field office level,\n\n\n4\n  Federal Continuity Directive 1 (FCD 1), February 2008, pages 1-2.\n5\n  Federal Continuity Directive 1 (FCD 1), February 2008, page 2.\n6\n  Federal Continuity Directive 1 (FCD 1), February 2008, page 2.\n7\n  Federal Continuity Directive 2 (FCD 2), February 2008, page A-1.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                    April 23, 2012\nReport No. 502\n                                        Page 1\n                                REDACTED PUBLIC VERSION\n\x0cmay be addressed by a business continuity plan (BCP). 8 \xe2\x80\x9cMinor threats or\ndisruptions that do not require relocation to an alternate site are typically not\naddressed in a COOP plan.\xe2\x80\x9d9 Standard elements of a COOP plan include:\nprogram plans and procedures; continuity communications; risk management;\nvital records management; budgeting and acquisition of resources; human\ncapital; essential functions; test, training, and exercise; order of succession;\ndevolution; delegation of authority; reconstitution; and continuity facilities. COOP\nplans are specific types of plans that should not be confused with BCPs, Disaster\nRecovery Plans (DRP), or Information System Contingency Plans (ISCP). 10\n\nA BCP focuses on sustaining an organization\xe2\x80\x99s mission or business processes\n(e.g., payroll) during and after a disruption, and may be written for mission or\nbusiness processes within a single unit or may address the entire organization\xe2\x80\x99s\nprocesses. A BCP may be scoped to address only priority functions, and it may\nbe used for long-term recovery in conjunction with an organization\xe2\x80\x99s COOP\nplan. 11\n\nA DRP applies to major (usually physical) \xe2\x80\x9cdisruptions to service that deny\naccess to the primary facility infrastructure for an extended period,\xe2\x80\x9d and is an\ninformation system-focused plan designed to restore operability at an alternate\nsite after an emergency. 12 A DRP may be supported by multiple ISCPs and may\nsupport a BCP or COOP plan by recovering supporting systems for mission or\nbusiness processes or MEFs at an alternate location. DRPs only address\ninformation system disruptions that require relocation. 13\n\nAn ISCP provides procedures for system assessment and recovery following a\nsystem disruption and provides key information needed for system recovery. An\nISCP differs from a DRP primarily in that ISCP procedures are developed for\nrecovery of a system regardless of its site or location. Once a DRP has\nsuccessfully transferred a system to an alternate site, \xe2\x80\x9ceach affected system\nwould then use its respective ISCP to restore, recover, and test systems, and put\nthem into operation.\xe2\x80\x9d 14 While COOP plans address national, primary or mission\n\n\n\n8\n  National Institute of Standards and Technology (NIST) Special Publication (SP) 800-34 Rev. 1,\nContingency Planning Guide for Federal Information Systems, May 2010, page 8, section 2.2.2.\n9\n  NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010, page 8,\nsection 2.2.2.\n10\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010,\n   page 8, section 2.2.2.\n11\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010,\n   page 8, section 2.2.1.\n12\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010,\n   page 10, section 2.2.6.\n13\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010,\n   page 10, section 2.2.6.\n14\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010,\n   page 10, section 2.2.7.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                    April 23, 2012\nReport No. 502\n                                      Page 2\n                              REDACTED PUBLIC VERSION\n\x0cessential functions, ISCPs address federal information systems and are\nmandated by the Federal Information Security Management Act (FISMA). 15\nA business impact analysis (BIA) is a key step in the contingency planning\nprocess and is intended to correlate the system with the critical mission or\nbusiness process and services provided and, based on that information,\ncharacterize the consequences of a disruption. 16 The three steps typically\ninvolved in the BIA process are: (1) determining mission or business processes\nand recovery criticality; (2) identifying resource requirements; and (3) identifying\nrecovery priorities for system resources. 17\n\nSEC COOP Oversight and Responsibilities\nThe SEC has a COOP and certain related policies and procedures. The Office of\nthe Chief Operating Officer, Chief Operating Officer (COO) currently has\nresponsibility for overseeing the SEC\xe2\x80\x99s agency-wide COOP. The COOP was\npreviously overseen by the Office of the Executive Director\xe2\x80\x99s former Executive\nDirector. However, effective July 25, 2011, primary responsibility for COOP was\ntransferred to the Office of Freedom of Information Act, Records Management,\nand Security\xe2\x80\x99s (OFRMS), Office of Security Services (OSS), and the OFRMS\ndirector reports to the COO. 18 OSS develops and manages the central agency-\nwide COOP plan which \xe2\x80\x9cdescribes what procedures are taken to sustain SEC\xe2\x80\x99s\ncritical mission functions for a period of 30 days in the event of a large scale\ndisaster and disruption.\xe2\x80\x9d 19\n\nThe COO directed OFRMS/OSS to perform a thorough review of the entire\nCOOP to ensure that it complies with Federal Emergency Management Agency\nguidance. Subsequent to the exit conference for this review, OSS management\ninformed us that OSS had initiated a self-review of the COOP program in\nOctober 2011 and provided us with a brief outline of its review of the SEC\xe2\x80\x99s\n                                                   is an internal          system\nthat is dedicated to continuity assurance and emergency preparedness. The site\ncontains links to authoritative guidance for continuity and emergency matters and\nis designed to provide SEC divisions/offices with the capability to customize their\n\n15\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010, page\n9, section 2.2.7. FISMA, which was enacted as Title III of the E-Government Act of 2002, provides the\nframework for securing the federal government\xe2\x80\x99s information technology and requires agency program\nofficials, chief information officers, privacy officers, and inspector general to conduct annual reviews of the\nagency\xe2\x80\x99s information security and privacy programs and report the results to the Office of Management and\nBudget (OMB).\n16\n   NIST SP 800-34 Rev 1, Contingency Planning Guide for Federal Information Systems, May 2010, page\n15, section 3.2.\n17\n   NIST SP 800-34 Rev 1, Contingency Planning Guide for Federal Information Systems, May 2010, pages\n15-16, section 3.2.\n18\n   The Chief Operating Officer was appointed Acting Executive Director on May 3, 2011, and the\nCommission approved rule amendments reflecting the consolidation of the Office of the Chief Operating\nOfficer (OCOO) and Office of the Executive Director in September 2011.\n19\n   Operating Directive IT Security Business Continuity Management Program, OD 24-04.09 (02.0), August\n23, 2011, page 4, section 5d.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                            April 23, 2012\nReport No. 502\n                                         Page 3\n                                 REDACTED PUBLIC VERSION\n\x0cCOOP information across a variety of categories. The site further includes Word\nfiles, Excel spreadsheets and pdf files that may be accessed and updated by\nindividuals who have access to the site. We obtained a spreadsheet from the\n       site that identified SEC personnel who were designated as essential.\nSubsequent to the end of fieldwork, OFRMS provided OIG with a statement of\nwork seeking a range of tasks to support the SEC\xe2\x80\x99s COOP, including assistance\nin resolving the deficiencies OIG identified in this report, and OSS\xe2\x80\x99s internal\nCOOP assessment from potential contract vendors.\n\nIn addition to the primary COOP role OSS has, the regional offices and the Office\nof Information Technology (OIT) play supporting roles in the COOP process.\nAccording to the SEC\xe2\x80\x99s COOP plan, the regional office directors are responsible\nfor updating the regional office\xe2\x80\x99s COOP plan supplements. OIT has various\nfunctions complementary to the SEC\xe2\x80\x99s COOP processes and is primarily\nresponsible for developing and managing the technology processes for the\nSEC\xe2\x80\x99s business continuity management (BCM) structure. 20 OIT is also\nresponsible for the DRP and must be in a \xe2\x80\x9cposition to recover its full main\ninfrastructure in the event of a total or partial disaster.\xe2\x80\x9d 21\n\nDescription of the SEC\xe2\x80\x99s COOP Plan and Related Documents\nThe SEC\xe2\x80\x99s COOP plan consists of an overall high-level Commission COOP plan\ndocument. There is also a regional office base COOP plan document and\nseparate individual regional office COOP plan supplements. In addition, there is\nan overall OIT contingency plan (i.e., the ISCP for the general support system)\nand individual Headquarters divisions/offices COOP plan documents. Further,\nDRPs and BIAs are prepared for individual systems, and each regional office has\na DRP for its office infrastructure, complementing the base DRP for regional\noffices.\n\nThe SEC\xe2\x80\x99s COOP plan identifies essential personnel, vital records, lines of\nsuccession and other required information. The SEC identified       essential\npersonnel under its COOP plan and established relocation sites for SEC\n\n\n                                                                    The overall\nCommission COOP plan document was updated in April 2008 and April 2010,\nand the most recent version of the document on the          is a draft document\nthat is dated October 2011. The regional office COOP supplements and\nindividual Headquarters division and office COOP plans have various dates and\nhave not been recently updated.\n\n\n20\n   Operating Directive, IT Security Business Continuity Management Program, OD 24-04.09 (02.0), August\n23, 2011, page 4, section 5f.\n21\n   Disaster Recovery Planning Policy, OIT-00003-001.0, August 6, 2002.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                     April 23, 2012\nReport No. 502\n                                       Page 4\n                               REDACTED PUBLIC VERSION\n\x0cIn addition to its COOP plan, the SEC has a separate pandemic influenza\npreparedness plan (pandemic plan), which incorporates by reference the SEC\xe2\x80\x99s\nCOOP plan as it may be amended from time to time. The SEC\xe2\x80\x99s pandemic plan\nfocuses on protecting the health of SEC employees, while maintaining agency\noperations during a pandemic. 22\n\nOverview of the SEC\xe2\x80\x99s Network and Locations\n\nThe SEC is an independent regulatory agency and has the statutory\nresponsibility to oversee and regulate the nation\xe2\x80\x99s securities markets and\nparticipants. The SEC employees and contractors rely extensively on the SEC\xe2\x80\x99s\nnetwork to perform their duties. SEC\xe2\x80\x99s network infrastructure includes a general\nsupport system for its\n                                                                  (to serve as the\n                                    and its 11 regional offices that are located\nthroughout the country.\n\nThe SEC network is an integrated client/server system that is comprised of local\narea networks, a metropolitan area network, and a wide area network. The wide\narea network provides connectivity to SEC sites throughout the continental\nUnited States. OIT owns and operates the SEC\xe2\x80\x99s various network subsystems,\nwhich are located at various facilities that the SEC leases. The SEC\xe2\x80\x99s network\nprovides services to both internal and external customers (e.g., electronic filers),\nwho use the network for their business applications. The SEC\xe2\x80\x99s network\nprovides the necessary security services to support these applications.\n\nThe SEC\xe2\x80\x99s wide area network is a dynamic virtual private network that connects\nthe regional offices with the                       and Alternate Data Center. The\nvirtual private network environment uses dynamic technology, which allows the\nregional offices to connect directly with each other. This solution alleviates the\nneed for all traffic between sites to pass through the Alternate Data Center or\n                      before arriving at the destination site. The metropolitan area\nnetwork connects the                          Alternate Data Center, and\nHeadquarters locations, and contains redundant aspects (i.e., the ability to use\nmultiple paths) to prevent failure in any single location.\n\nThe network infrastructure provides the computer environment for all the\napplications that are used to support the SEC\xe2\x80\x99s business functions and mission.\nSome of these applications are designated as major applications in the SEC\xe2\x80\x99s\nreports to the Office of Management and Budget (OMB) under FISMA. In its\n\n22\n   \xe2\x80\x9cA pandemic occurs when a novel strain of influenza virus emerges that has the ability to infect and be\npassed between humans. Because humans have little immunity to the new virus, a worldwide epidemic, or\npandemic can ensue.\xe2\x80\x9d National Strategy for Pandemic Influenza Implementation Plan, May 2006, page 1.\n23\n   The SEC\xe2\x80\x99s regional offices are located in Atlanta, Boston, Chicago, Denver, Los Angeles, Miami, New\nYork, Philadelphia, Salt Lake, and San Francisco.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                        April 23, 2012\nReport No. 502\n                                        Page 5\n                                REDACTED PUBLIC VERSION\n\x0cFiscal Year 2011 FISMA report to OMB, the SEC listed a total of\n                               24\n\n                                           at outside entities (both federal and\nprivate). The SEC\xe2\x80\x99s internally hosted systems are\n                   and the majority of the systems have a                     at\nthe                        Additionally,               are run daily, weekly and\nmonthly, based upon schedules for incremental data, full data, and full system\n\n\nWhile the SEC\xe2\x80\x99s regional offices have systems that are supported by its network,\neach regional office has a                                                 The\nregional offices still use              as the primary means of recovering critical\nregional office servers and data. The regional offices\xe2\x80\x99 data is also replicated in\nreal time to servers located at designated\nThe replication            act as a secondary means of restoring the regional\noffices\xe2\x80\x99 data and are generally used only following a catastrophic event that\nseverely damages or destroys a regional office\xe2\x80\x99s network.\n\nSEC Policies and Procedures Relating to COOP\n\nThe SEC\xe2\x80\x99s policies and procedures relating to the COOP are currently all OIT\npolicy documents such as: Operating Directive 24-0.09 (02.0), Information\nTechnology (IT) Security Business Continuity Management Program, dated\nAugust 23, 2011; Implementing Instruction 24-04.09.01 (02.0), Business Impact\nAnalysis, dated August 22, 2011; Disaster Recovery Planning Policy, OIT-00003-\n001.0, dated August 6, 2002, and Disaster Recovery Planning Procedures, OIT-\n00047-001.0, dated February 4, 2003.\n\nAccording to Operating Directive 24-04.09, \xe2\x80\x9c[b]ased on federal requirements, the\nSEC has developed an agency-wide program that has policies, processes, and\nprocedures to address the information and information system security\nrequirements needed for business continuity in the event of a disruption.\xe2\x80\x9d 26 The\nOperating Directive states that the SEC has created a BCM framework of plans\nto centralize plan development and ensure that all plans are consistent and\nstandardized, address applicable information technology security requirements,\n\n\n24\n  SEC FISMA submission to OMB, October 14, 2011. OMB Memorandum for Heads of Executive\nDepartments and Agencies on FY 2011 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, M-11-33, September 14, 2011, provides that all of an\nagency\xe2\x80\x99s information systems should be included as part of the agency\xe2\x80\x99s FISMA report. M-11-33, FY 2011\nFrequently Asked Questions on Reporting for the Federal Information Security Management Act and Agency\n  ivacy management, page 3, Answer to Question 8.\n\n\n\n  Operating Directive IT Security Business Continuity Management Program, OD 24-04.09 (02.0), August\n23, 2011, page 3, section 5b.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                   April 23, 2012\nReport No. 502\n                                      Page 6\n                              REDACTED PUBLIC VERSION\n\x0cand identify priorities for training, testing, exercise, and maintenance. 27 The\nOperating Directive further provides that \xe2\x80\x9c[t]he BCM framework is a suite of plans\nused to prepare its response, recovery, and restoration of business processes in\nthe event of a disruption, and that plans for business continuity are grouped\nunder continuity of operations processes, business processes, and technology\nprocesses.\xe2\x80\x9d28 It notes that \xe2\x80\x9c[m]any of these plans have dependencies and must,\ntherefore, be synchronized,\xe2\x80\x9d and that \xe2\x80\x9c[p]lans to recover business processes at\nhigh levels are considered to be subsets of the continuity of operations\nprocesses.\xe2\x80\x9d29\n\nOperating Directive 24-04.09, describes the agency\xe2\x80\x99s COOP plan as directing \xe2\x80\x9cits\nfocus on supporting the SEC\xe2\x80\x99s executive leadership and essential organizational\nstructure,\xe2\x80\x9d and references various supporting plans, such as the BRP, that deal\nwith immediate crisis operations and communications throughout the COOP\nplan\xe2\x80\x99s activation. 30 The Operating Directive further states that each functional\noffice addresses functional level business processes that directly support the\nCOOP plan in a contingency plan, and notes that examples of functional level\nbusiness processes include human resources, procurement, public relations,\nfacilities management, and legal and other services based upon the results of the\nagency-wide BIA. 31 According to the Operating Directive, critical business\nprocesses at the organizational unit and regional levels are maintained through\nBCPs, which serve as a primary input in the COOP plan. It also states that BCPs\nare managed by the organizational units that own the business processes and/or\nfacilities, under the approval of the COOP plan coordinator. 32\n\nAs noted above, OIT has primary responsibility for developing and managing the\nSEC\xe2\x80\x99s technology processes for the BCM structure. Operating Directive 24-\n04.09 provides that each major application and general support system 33 in the\nSEC has a supporting Information Technology Contingency Plan (ITCP) (also\n\n27\n   Operating Directive IT Security Business Continuity Management Program, OD 24-04.09 (02.0), August\n23, 2011, page 3, section 5c.\n28\n   Operating Directive IT Security Business Continuity Management Program, OD 24-04.09 (02.0), August\n23, 2011, pages 3-4, section 5c.\n29\n   Operating Directive IT Security Business Continuity Management Program, OD 24-04.09 (02.0), August\n23, 2011, pages 3-4, section 5c.\n30\n   Operating Directive IT Security Business Continuity Management Program, OD 24-04.09 (02.0), August\n23, 2011, pages 4, section 5d.\n31\n   Operating Directive IT Security Business Continuity Management Program, OD 24-04.09 (02.0), August\n23, 2011, page 4, section 5d.\n32\n   Operating Directive IT Security Business Continuity Management Program, OD 24-04.09 (02.0), August\n23, 2011, page 4, section 5e. Our review did not disclose that any one individual is currently performing the\nfunction of the COOP plan coordinator. As noted above, primary COOP responsibility transitioned from the\nformer Office of the Executive Director to the OCOO in 2011 and the agency\xe2\x80\x99s COOP program is under\nreview.\n33\n   A major application is define as one \xe2\x80\x9cthat requires special attention to security due to the risk and\nmagnitude of the harm resulting from the loss, misuse, unauthorized access to, or unauthorized modification\nof, the information in the application.\xe2\x80\x9d The general support system interconnects \xe2\x80\x9cinformation resources\nunder the same direct management control that share common functionality.\xe2\x80\x9d Operating Directive IT\nSecurity Business Continuity Management Program, OD 24-04.09 (02.0), August 23, 2011, page 2.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                         April 23, 2012\nReport No. 502\n                                        Page 7\n                                REDACTED PUBLIC VERSION\n\x0creferred to as an ISCP) that includes detailed procedures for responding,\nrecovering, and restoring information systems that are damaged or destroyed in\nthe event of a disruption. According to the Operating Directive, the ITCP\naddresses emergency situations covered in a DRP for an information system. 34\n\nOperating Directive 24-04.09, further provides that each ITCP is supported by a\nBIA, and that \xe2\x80\x9c[t]he result of the BIA is used to determine overall contingency\nrequirements and priorities.\xe2\x80\x9d 35 Implementing Instruction 24-04.09.01, Business\nImpact Analysis, provides that the BIA is an essential component of the SEC\xe2\x80\x99s\nBCM program and notes that the\xe2\x80\x9d[t]he BIA links specific system components with\nthe critical services they provide, identifying the consequences that disruption of\nthe system\xe2\x80\x99s availability would have on the SEC mission.\xe2\x80\x9d 36 The Implementing\nInstruction describes the four phases of the BIA process: pre-planning and\ncoordination; information collection and research; identification of critical\ninformation technology assets; identification of allowable outage and recovery\ntimes; and development of recovery priorities; and post BIA activities and\nmaintenance. 37 Under the Implementing Instruction, recovery time objectives for\nsystems are determined based upon the following:\n\n         1. whether the availability of the information technology systems in\n            question can be recovered partially or must be totally restored in\n            order for mission-critical processes to continue; and\n         2. balancing the cost of information system in operability against\n            the cost of the resources required to restore the information\n            system. 38\n\nIn addition, the SEC\xe2\x80\x99s Disaster Recovery Planning Policy, OIT-00003-001.0, is\nintended to ensure that OIT is in a position to recover its full infrastructure 39 in the\nevent of a disaster. The policy \xe2\x80\x9csupports a             strategy of mirroring and\ncritical server rebuilds, as determined by OIT management,\xe2\x80\x9d and \xe2\x80\x9csets forth a\nstrategy requiring reallocation and rebuilding of OIT resources in order of\ncriticality.\xe2\x80\x9d 40 Further, under this policy, the OIT Disaster Recovery Specialist is\nrequired to ensure that disaster recovery related issues are addressed, provide\ndisaster recovery guidance to project management and staff, coordinate and/or\n\n34\n   Operating Directive IT Security Business Continuity Management Program, OD 24-04.09 (02.0), August\n23, 2011, pages 4-5, section 5f.\n35\n   Operating Directive IT Security Business Continuity Management Program, OD 24-04.09 (02.0), August\n23, 2011, pages 4-5, section 5f.\n36\n   Implementing Instruction Business Impact Analysis, II 24-04.09.01 (02.0) August 22, 2011, pages 2,\nSection 5a.\n37\n   Implementing Instruction Business Impact Analysis, II 24-04.09.01 (02.0), August 22, 2011, pages 2-4,\nSection 5c.\n38\n   Implementing Instruction Business Impact Analysis, II 24-04.09.01 (02.0), August 22, 2011, page 3\nSection 5c(4).\n39\n   The term \xe2\x80\x9dinfrastructure\xe2\x80\x9d refers to the underlying technological components that constitute an\norganization\xe2\x80\x99s enterprise architecture; it includes hardware, operating systems, shared storage, data/voice\ncommunications, database, developments of maintenance tools, and application software.\n40\n   Disaster Recovery Planning Policy, OIT-00003-001.0, August 6, 2002, page 1, Section 2.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                         April 23, 2012\nReport No. 502\n                                        Page 8\n                                REDACTED PUBLIC VERSION\n\x0cconduct BIAs, coordinate and validate disaster recovery testing, and ensure that\ndisaster recovery information is maintained in the\n                                     41\n\n\n\nTesting Programs for COOP, DRP and Pandemic Plans\nFCD 1 requires all agencies to plan, conduct, and document periodic tests,\ntraining, and exercises to prepare for continuity emergencies and disasters,\nidentify deficiencies, and demonstrate the viability of their COOPs. 42 Appendix K\nof FCD 1, \xe2\x80\x9cTest, Training, and Exercises (TT&E) Program,\xe2\x80\x9d lists the following\nelements that must be included in an agency\xe2\x80\x99s testing program:\n\n        1. Annual testing of alert, notification, and activation procedures for\n           continuity personnel and quarterly testing of such procedures for\n           continuity personnel at agency headquarters.\n        2. Annual testing of plans for recovering vital records (both\n           classified and unclassified), critical information systems,\n           services, and data.\n        3. Annual testing of primary and             infrastructure systems\n           and services (e.g., power, water, fuel) at alternate facilities.\n        4. Annual testing and exercising of required physical security\n           capabilities at alternate facilities.\n        5. Testing and validating equipment to ensure the internal and\n           external interoperability and viability of communications\n           systems, through monthly testing of the continuity\n           communications capabilities outlined in Annex H (e.g., secure\n           and non-secure voice and data communications).\n        6. Annual testing of the capabilities required to perform an\n           agency\xe2\x80\x99s MEFs, as identified in the business process analysis\n           (BPA).\n        7. Conducting annual testing of internal and external\n           interdependencies identified in the agency\xe2\x80\x99s continuity plan, with\n           respect to performance of an agency\xe2\x80\x99s and other agencies\xe2\x80\x99\n           MEFs.\n        8. A process for formally documenting and reporting tests and their\n           results.\n        9. Reporting the test results as directed by the Department of\n           Homeland Security (DHS)/Federal Emergency Management\n           Agency (FEMA). 43\n\nIn addition, the National Strategy for Pandemic Influenza Implementation Plan,\nissued by the Homeland Security Council in May 2006, noted as follows:\n\n41\n   Disaster Recovery Planning Policy, OIT-00003-001.0, August 6, 2002, page 2, Section 7b.\n42\n   Federal Continuity Directive 1 (FCD 1), February 2008, page 10.\n43\n   Federal Continuity Directive 1 (FCD 1), February 2008, page 62, Annex K, Testing section.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                           April 23, 2012\nReport No. 502\n                                        Page 9\n                                REDACTED PUBLIC VERSION\n\x0c\xe2\x80\x9cTesting, training, and exercising of COOP capabilities are essential to\nassessing, demonstrating, and improving the ability of organizations to execute\ntheir COOP plans and programs during an emergency. Pandemic influenza\nCOOP plans should test, train, and exercise sustainable social distancing\ntechniques that reduce person-to-person interactions within the workplace.\xe2\x80\x9d44\n\nThe SEC has annual testing schedules for its COOP and DRP. As part of a\ngovernment-wide continuity exercise referred to as \xe2\x80\x9cEagle Horizon,\xe2\x80\x9d the SEC\xe2\x80\x99s\nlast COOP plan testing was performed on June 23, 2011. Overall DRP testing of\nselected systems was conducted for the Operations Center in June and\nNovember 2011, and quarterly data integrity testing is performed as part of the\nDRP. Regional office DRP testing is conducted on a staggered scheduled over a\nthree-year period. The SEC last conducted a pandemic flu exercise in 2007.\n\nObjectives\nThe overall objective of TWM\xe2\x80\x99s review was to determine whether the SEC had a\nviable COOP, BCP, and DRP that sufficiently supported its operations at its\nHeadquarters, Operations Center, and 11 regional offices. Further, the review\nsought to determine if the Commission is adequately prepared to perform\nessential functions during business continuity or disaster recovery event resulting\nfrom human/natural disasters, national emergency, or technological events which\ncould impact the Commission\xe2\x80\x99s ability to continue mission-critical and essential\nfunctions. The sub-objectives of our review were to:\n\n       \xe2\x80\xa2   Evaluate the Commission\xe2\x80\x99s pandemic plan to ensure it is formal,\n           documented, well-communicated, has been tested at regular\n           intervals, and meets the objectives of the National Strategy for\n           Pandemic Influenza: Implementation;\n       \xe2\x80\xa2   Assess the Commission\xe2\x80\x99s implementation and testing of its\n           pandemic plan;\n       \xe2\x80\xa2   Determine the Commission\xe2\x80\x99s plans for protecting its employees and\n           contractors during a pandemic occurrence; and\n       \xe2\x80\xa2   Evaluate the Commission\xe2\x80\x99s plans for sustaining essential functions\n           during high rates of employee absenteeism.\n\n\n\n\n44\n     National Strategy for Pandemic Influenza Implementation Plan, May 2006, page 167.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                     April 23, 2012\nReport No. 502\n                                         Page 10\n                                 REDACTED PUBLIC VERSION\n\x0c             Findings and Recommendations\n\nFinding 1: SEC\xe2\x80\x99s COOP Policies, Procedures and\nDocuments Require Updating, More\nCohesiveness, and Inclusion of Missing Elements\n       SEC\xe2\x80\x99s COOP policies and directives are incomplete and\n       outdated. In addition, the SEC\xe2\x80\x99s COOP plan and an array of\n       supplemental documents are outdated, have missing\n       elements, and do not correlate with the SEC business needs\n       identified under FISMA. Also, the current overall COOP plan\n       document is a draft.\n\nSEC COOP Policies, Directives and Documents Are Out of Date\nand Incomplete\n\nWhile the SEC does have a COOP function and plan (including relocation sites\nand testing) in place, the program needs overall improvements. In particular, the\nSEC\xe2\x80\x99s COOP policies, directives and documents are: (a) out-of-date and\nincomplete, (b) not comprehensive; and (c) currently not being followed in some\nrespects.\n\nCurrently, the SEC\xe2\x80\x99s COOP policies and procedures are limited to OIT-issued\npolicy documents. OIT\xe2\x80\x99s policies and procedures that are related to COOP\ninclude Operating Directive 24-24.09 (02.0), Information Technology (IT)\nSecurity Business Continuity Management Program, dated August 23, 2011;\nImplementing Instruction 24-04.09.01(02.0), Business Impact Analysis, dated\nAugust 22, 2011; Disaster Recovery Planning Policy, OIT-00003-001.0, dated\nAugust 6, 2002; and Disaster Recovery Planning Procedures, OIG-00047-001.0,\ndated February 4, 2003. The Disaster Recovery Planning Policy and Procedures\ndocuments are clearly outdated. Moreover, while Operating Directive 24-04.09\nwas revised in 2011, it is nonetheless outdated in certain respects. For example,\nit refers to the Office of the Executive Director, which no longer exists. Further,\nas noted below, it discusses BCPs and ITCPs in detail, even though the SEC\ndecided not to prepare these types of documents for its systems because they\nbelieves the necessary elements are already included in the DRPs and BIAs.\n\nThe COOP plan documentation in place for the SEC\xe2\x80\x99s\n\n\n\n              are out-of-date. Further, these documents did not have signatures\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                   April 23, 2012\nReport No. 502\n                                   Page 11\n                           REDACTED PUBLIC VERSION\n\x0cshowing that the plans had been reviewed and were approved. Specifically, we\nwere provided with COOP plan versions for 2008 and 2010, and a draft version\nthat was dated October 2011. None of the documents were signed or appeared\nto have been approved. Further, the supplemental plan information did not\nchange between the 2008 and 2010 versions, and continued to be outdated in\nthe 2011 draft.\n\nIn addition to requiring updating and approval, the SEC\xe2\x80\x99s COOP documents need\nimprovement in both their content and organization. The overall SEC COOP\nplan is a high-level COOP document that relies on all divisions/offices and\nregional offices to maintain and update their own COOP plans independently.\nThe COOP plan documentation also includes an OIT contingency plan for\nsystems used by the COOP, which is out-of date and incomplete. Further, the\noverall 2011 draft COOP plan indicates that it supersedes the April 2008 COOP\nplan, rather than the April 2010 version.\n\nThe draft overall COOP plan states that the SEC\xe2\x80\x99s divisions/offices and regional\noffices are required to report any changes to their supplemental plans to the\nCOO. We found, however, that the supplemental plans are not being updated;\nthe documents in question are dated from 2005 to 2008. Additionally, the draft\noverall COOP plan references the Office of Economic Analysis which merged\nwith the former Office of Risk Assessment, and other functions to become the\nDivision of Risk, Strategy, and Financial Innovation in September 2009.\n\n   regional offices                                                       did not have supplemental\nCOOP plans. Further,                   regional offices\n     and\n\n                                   COOP roles and responsibilities or identified who\nwill perform those roles and responsibilities. While the overall COOP plan listed\nalert levels, it contained no discussion of     for the\nThere was no indication that any scenarios were reviewed or tested, but rather\nonly a general discussion of                    were\n\n\n\nFurther, we found that essential personnel information in the COOP supplements\nhas not been properly maintained and is not up-to-date. 45 In addition, while the\noverall COOP plan referenced key SEC personnel who comprise the\n                          it was not clear from the documentation whether the\n     was necessarily the same as the essential personnel listed in the\nsupplements.\n\n\n45\n Essential personnel lists are maintained on the             and can be used by SEC divisions and offices to\nmaintain and update listings of their essential personnel.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                         April 23, 2012\nReport No. 502\n                                         Page 12\n                                 REDACTED PUBLIC VERSION\n\x0cRegional Office and Division Lines of Succession Outdated. The\nHeadquarters COOP plan requires the line of succession to be\n       for the SEC\xe2\x80\x99s divisions, offices and regional offices. Further, each division\nand office head must establish an intra-office succession roster that is also at\n                   for each critical office position or responsibility and ensure that\nthis roster is effectively communicated within the division/office, to the Office of\nthe Secretary, and other offices as necessary. The information is required to be\nmaintained as part of the divisions/office\xe2\x80\x99s critical documents, accessible\nremotely in electronic form. We found that this required information was out-of-\ndate and is not being properly maintained. The documents were dated 2004 to\n2008, and many of the personnel listed in the documents were no longer in the\nSEC telephone registry and have likely left the agency.\n\nDivision/Office and Regional Office Vital Records Are Not Complete or Up\nto Date. The term \xe2\x80\x9cvital records\xe2\x80\x9d includes \xe2\x80\x9cinformation systems and applications,\nelectronic and hardcopy documents, references, and records needed to support\nPMEFs and MEFs during a continuity event.\xe2\x80\x9d 46 Categories of vital records\ninclude emergency operating records, and rights and interests records. 47 The\nSEC has included vital records information in its COOP plan; the overall plan\nincludes an appendix, which is based on the information provided in the\nindividual division/office and regional office COOP supplements.\n\nThe SEC divisions/offices and regional offices have included in their COOP\nsupplemental plans, spreadsheets with tabs that list their vital records. Our\nreview of these documents disclosed that they were templates that have\nincomplete content. Specifically, we found that the spreadsheets for all of the\nregional offices and 2 of the 5 randomly selected divisions/offices were missing\nkey information. Further, the data listed in the supplement documents does not\nmatch the information contained in the OIT contingency plan COOP document.\nThe spreadsheets were dated between 2004 and 2008 and have not been\nupdated since then.\n\nThe vital records that were listed referenced both hard copy and electronic\ndocuments and drive locations for the data. However, the vital records\nspreadsheet supplements do not indicate specifically where the information is\nmaintained, who is responsible for collecting it in the event of COOP activation,\nor how the information is to be accessed if the facility is not accessible. They\nalso do not identify how hardcopy-only data should be recovered or stored.\n\nIn addition to the individual division/office and regional office vital records data,\nthe main Headquarters COOP plan included a section on vital records. However,\ninformation for six divisions/offices\n\n\n46\n     Federal Continuity Directive 1 (FCD 1), February 2008, Annex I, page I-1.\n47\n     Federal Continuity Directive 1 (FCD 1), February 2008, Annex I, page I-1.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                             April 23, 2012\nReport No. 502\n                                           Page 13\n                                   REDACTED PUBLIC VERSION\n\x0c              were not specified. In addition, the SEC has not defined a single\nlocation where all division/office and regional office vital records requirements\nshould be backed up and verified.\n\nHeadquarters and Operations Center Overall DRPs Are Not Present Within\nthe COOP documentation. An organization\xe2\x80\x99s DRP \xe2\x80\x9capplies to major, usually\nphysical disruptions to service that deny access to the primary facility\ninfrastructure for an extended period.\xe2\x80\x9d 48 A DRP is an information system-\nfocused plan designed to restore operability of the target system, application, or\ncomputer facility infrastructure at an alternate site after an emergency. The DRP\nplan may be supported by multiple information system contingency plans to\naddress recovery of impacted individual systems once the alternate facility has\nbeen established. 49 Our review of the SEC\xe2\x80\x99s various COOP documents revealed\nthat there is no specific DRP for SEC\xe2\x80\x99s Headquarters and the Operations Center.\nSome DRP items are included in the SEC\xe2\x80\x99s overall COOP document and OIT\ncontingency plan; however, these documents are under revision and in draft\nform.\n\nIndividual System and Regional Office DRPs are Outdated, In Draft Form\nand/or Incomplete. During our review, we identified numerous problems with\nthe DRPs for individual systems. Of the                systems reviewed, we found\nthat             hosted systems did not have DRPs, and                       hosted\n                               50\nsystems did not have DRPs. Further,             system DRPs were in draft form, and\n     DRPs were outdated. Moreover, all the DRPs we reviewed were missing\nsome traditional elements (e.g., risk management, budget and acquisition, order\nof succession, concurrent processing, recovery period, access control policy and\nprocedures, alternate facilities, alternate site travel logistics, vital records,\nrestoration, personnel and vendor contract lists, relocation of families, service\nlevel agreements, and additional notification procedures).\n\nWith respect to our review of regional office DRPs (as well as the overall COOP\nplan document and the OIT contingency plan), a detailed list of issues we\nidentified with those documents is included at Appendix II.\n\nThe SEC Does Not Prepare BCPs or ISCPs for its Information Systems.\nBCPs address sustaining an organization\xe2\x80\x99s mission or business processes and\nthe information systems that support those mission or business processes during\nand after a significant disruption. BCPs are often developed at the organization\xe2\x80\x99s\n\n\n\n48\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010, page\n10, section 2.2.6.\n49\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010, page\n10, section 2.2.6.\n50\n   Appendix III includes a list of the systems for which no DRP had been prepared.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                   April 23, 2012\nReport No. 502\n                                      Page 14\n                              REDACTED PUBLIC VERSION\n\x0cfield level or for mission or business processes that are not prioritized as mission\nessential. 51\n\nOur review determined that the SEC only prepares DRPs and BIAs for its\napplications and does not prepare BCPs or ISCPs, even though Operating\nDirective 24-04.09, requires them to be prepared and indicates that BCPs serve\nas a primary input in the COOP plan. 52 OIT staff stated that BCPs and ISCPs\nwere not needed because the contents of the BIAs and DRPs included the\ncomponents of a BCP or ISCP. However, as described below, we found that\nsome BCP elements were missing from the SEC\xe2\x80\x99s COOP documents.\n\nMissing Business Continuity Plan Elements. Our review found that some\nBCP elements (e.g., budget and acquisition, concurrent processing) were not\naddressed in the SEC\xe2\x80\x99s DRPs and BIAs. 53 A DRP refers to an information\nsystem-focused plan that is designed to restore operability of one or more\ninformation systems at an alternate site after a major disruption that usually\ncauses physical damage to the original data center. 54 We determined that the\nSEC\xe2\x80\x99s current DRP and BIAs do not address the aspects of BCPs, thus giving\nrise to the possibility of failure should an actual event occur. 55 According to OD\n24-04.09, BCPs are be managed by the organizational units that own the\nbusiness processes and/or facilities, under the approval of the COOP\ncoordinator. 56\n\nWe also found that the SEC\xe2\x80\x99s COOP documents lack the critical tie to the SEC\xe2\x80\x99s\nbusiness and mission essential functions. While the SEC prepared BIA\ndocuments, these documents do not necessarily reflect what is actually needed\nfor agency activities that must be performed immediately versus activities that\nare not needed immediately, and support the agency\xe2\x80\x99s mission after the fact.\nFurther, the information contained in the SEC\xe2\x80\x99s BIAs does not coincide with the\nreporting under FISMA regarding the availability needs for the agency\xe2\x80\x99s systems.\nOne example of a business function that has an immediate requirement is the\nSEC\xe2\x80\x99s                        , which is a collection of software\n\n51\n   NIST SP 800-34 Rev 1, Contingency Planning Guide for Federal Information Systems, May 2010,\nAppendix C, page C-1.\n52\n   Operating Directive IT Security Business Continuity Management Program, OD 24-04.09 (02.0), August\n23, 2011, page 4, section 5e. The policy further indicates that SEC division directors, office heads, and\nregional directors are responsible for organizational or regional level BCP. Operating Directive 24-04.09\n(02.0), IT Security Business Continuity Management Program, August 23, 2011, page 6, section 6.4, section\n5e.\n53\n   The BCP elements that we used in reviewing the SEC\xe2\x80\x99s DRPs and BIAs were based upon best practices\nderived from a variety of sources including, among others, NIST 800-34, the Interagency Statement on\nPandemic Planning, as well as SEC Operating Directive 24-04.09.\n54\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010, page\nC-1, Appendix C, paragraph 3.\n55\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010,\nAppendix C, paragraph 3.\n56\n   Operating Directive IT Security Business Continuity Management Program, OD 24-04.09 (02.0), August\n23, 2011, page 4, section 5e.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                      April 23, 2012\nReport No. 502\n                                       Page 15\n                               REDACTED PUBLIC VERSION\n\x0c                                                                                           This critical\nreal-time function has not been defined in the SEC\xe2\x80\x99s BIAs.\n\nTWM examined all system DRPs and BIAs and found the date it was prepared\nand the date reviewed. We then randomly selected          systems to conduct a\ndetailed review of the documents to determine whether traditional elements were\nincluded. We found missing elements including the                           where\nsystem specific documentation and scripts are located, background information,\nvalidation and functionality testing processors, alternate processing procedures,\nbusiness process specific data input/output diagrams, and software license\nrequirements. A list of the specific issues we identified based upon the\ndocuments we reviewed is at Appendix III.\n\nBusiness Impact Analysis Missing, Outdated, or Incomplete. While we\ndetermined that a BIA document was present for all internally hosted systems,\nsome of the BIAs were outdated and/or incomplete. In particular, we found that\nthe completed BIAs for      systems are three years and are, therefore, are\nconsidered out-of-date. Further, we found that BIAs had not been updated to\nreflect the fact that the SEC\xe2\x80\x99s former district offices are now regional offices. We\nalso found there were no BIAs for the       FISMA-reportable              hosted\nsystems.\n\nOur detailed review of the BIA\xe2\x80\x99s for     selected systems revealed that they\nlacked traditional BIA elements. For example we found the following sections\nhas missing information such as:        were missing the Background section;\nthree were missing the Resources section; one was missing the Process\nCriticality section; six were missing the Threats and Hazards section;       were\nmissing Cost Balance Point section;           were missing the MEF Impact\nsection;          were missing the Threat Risk Value section; and       were\nmissing the Recovery Priority Objective section. Further, there was no indication\nthat the BIAs had been reviewed or approved, and         system\xe2\x80\x99s BIA Data\nCollection forms did not have a date indicating when the forms were completed.\n\nIntegration of Pandemic Planning into COOP Documents Is Needed.\nPandemic influenza \xe2\x80\x9cis a global outbreak of disease that occurs when a new\ninfluenza virus emerges in human populations and causes serious illness.\nBecause there is little natural immunity, the disease can spread easily from\nperson to person, rapidly moving across the country and around the world.\xe2\x80\x9d 59\n\n57\n   We were informed that management has recently purchased a license for an Internet service option for\nthe                        however, this option is not yet operational.\n58\n   In contrast to the immediate requirement for the\n                               could be performed manually during an unscheduled event and, therefore,\nwould not have the same recovery needs or timeline as an essential activity requiring immediate attention.\n59\n   NIST SP 800-34 Rev 1, Contingency Planning Guide for Federal Information Systems, May 2010,\nAppendix D, page D-2. In addition, FCD 1 provides that continuity planning should include \xe2\x80\x9cplanning for the\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                        April 23, 2012\nReport No. 502\n                                        Page 16\n                                REDACTED PUBLIC VERSION\n\x0cAccording to the Contingency Planning Guide for Federal Information Systems,\n\xe2\x80\x9c[c]ommon strategies to protect personnel health during a pandemic outbreak\ninclude stricter hygiene precautions and reducing the number of personnel\nworking in close contact with one another through implementation of \xe2\x80\x98social\ndistancing.\xe2\x80\x99 Approved telework arrangements facilitate social distancing through\nworking at home while sustaining productivity. Government-run telework sites\nare also available to federal employees who cannot work from home or the\noffice.\xe2\x80\x9d60\n\nAccording to pandemic guidance, a BCP \xe2\x80\x9cshould address pandemics and provide\nfor a preventive program, a documented strategy scaled to the stages of a\npandemic outbreak, a comprehensive framework to ensure the continuance of\ncritical operations, a testing program and an oversight program to ensure that the\nplan is reviewed and updated.\xe2\x80\x9d 61 As noted above, OIT only creates DRPs and\nBIAs for SEC applications and do not create BCPs. We found that only two of\nthe regional offices\xe2\x80\x99 COOP plan supplements                            included\nany pandemic information.\n\nWhile the SEC has a pandemic plan in place, the lack of a BCP addressing\npandemic events could negatively impact the implementation of the pandemic\nplan. Further, the overall SEC COOP plan indicates that it includes events\nrelated to pandemic, but it does not contain specific information related to\npandemic planning or impact on operations. Further, we found that there is no\nspecific mention in the pandemic plan of alternate procedures for credentialing\nand hiring during a pandemic or how these functions would be accomplished\nremotely. If the systems required to be accessed remotely were non-operational,\ncredentialing and hiring would have to be accomplished using manual processes\nuntil the systems were available and then reconstructed in the electronic system,\nwhich might prove to be difficult during a pandemic event.\n\nReview and Approval Not Indicated on COOP Program Documents. FCD 1\noutlines the requirements to support the continuity program management cycle,\nnoting that \xe2\x80\x9cagencies will develop a continuity multiyear strategy and program\nmanagement plan that provides for the development, maintenance, and the\nannual review of continuity capabilities.\xe2\x80\x9d 62 These requirements include\ndesignating and reviewing MEFs and PMEFs, as applicable, and defining both\nshort-term and long-term goals and objectives for plans and procedures. 63\n\nchallenges posed by extended events (like a pandemic) that occur in repeated waves.\xe2\x80\x9d Federal Continuity\nDirective 1 (FCD 1), February 2008, Annex A, page A-4\n60\n   NIST SP 800-34 Rev 1, Contingency Planning Guide for Federal Information Systems, May 2010,\nAppendix D, page D-2. We were informed that in the past, the SEC Executive Director had approved\ntelework for SEC employees during any officially recognized pandemic, with the concurrence of an\nemployee\xe2\x80\x99s supervisor.\n61\n   Interagency Statement on Pandemic Planning, page 1. (This is joint guidance issued for financial\ninstitutions by the Federal Financial Institutions Examination Council agencies.)\n62\n   Federal Continuity Directive 1 (FCD1), February 2008, page 6.\n63\n   Federal Continuity Directive 1 (FCD1), February 2008, page 6.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                      April 23, 2012\nReport No. 502\n                                       Page 17\n                               REDACTED PUBLIC VERSION\n\x0cBased upon our review of the DRP and BIA documents for the individual\nsystems, we determined that the documentation did not evidence review and\napproval at least annually. We also found that the SEC\xe2\x80\x99s Pandemic Plan did not\nindicate the date it was reviewed.\n\n       Recommendation 1:\n\n       The Office of the Chief Operating Officer should ensure that the Office of\n       Freedom of Information Act, Records Management and Security\n       completes its review of the agency-wide continuity of operations program\n       (COOP) to ensure the Commission\xe2\x80\x99s COOP is comprehensive, cohesive,\n       and in compliance with federal guidance.\n\n       Management Comments. OFRMS concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OFRMS concurred with this\n       recommendation.\n\n       Recommendation 2:\n\n       The Office of Freedom of Information Act, Records Management, and\n       Security should revise and update the Commission\xe2\x80\x99s continuity of\n       operations program policies and procedures to ensure they are\n       comprehensive, complete, and up-to-date.\n\n       Management Comments. OFRMS concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OFRMS concurred with this\n       recommendation.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                  April 23, 2012\nReport No. 502\n                                   Page 18\n                           REDACTED PUBLIC VERSION\n\x0c       Recommendation 3:\n\n       The Office of Freedom of Information Act, Records Management, and\n       Security (OFRMS) and Office of Information Technology (OIT), in\n       conjunction with the program divisions/offices and regional offices, should\n       update, revise and finalize all continuity of operations program (COOP)\n       documents, including the overall Headquarters COOP plan, individual\n       division/office COOP plans, regional office COOP supplements, disaster\n       recovery plans, business continuity plans and business impact analyses,\n       and pandemic plans supplements. OFRMS and OIT should ensure these\n       documents are complete and include all the necessary elements, and that\n       they properly define the Commission\xe2\x80\x99s essential functions. In addition,\n       processes should be implemented to ensure annual review and approval\n       of these documents.\n\n       Management Comments. OFRMS and OIT concurred with this\n       recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n       recommendation.\n\n       Recommendation 4:\n\n       The Office of Freedom of Information Act, Records Management, and\n       Security, in conjunction with program and regional offices, should ensure\n       that vital records and lines of succession are properly identified,\n       documented and readily available during continuity events.\n\n       Management Comments. OFRMS concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OFRMS concurred with this\n       recommendation.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                  April 23, 2012\nReport No. 502\n                                   Page 19\n                           REDACTED PUBLIC VERSION\n\x0cFinding 2: Network Weaknesses Could Affect the\nSEC\xe2\x80\x99s Continuity of Operations and Disaster\nRecovery Plans\n       The review identified instances in which information feeds\n       and power distribution throughout the SEC network could fail\n       were a disruption to occur.\n\nRobust Network and Power Redundancy Are Not Complete\nThe absence of                (redundancy) for elements or parts of a system\nmay result in a failure that could disable the entire system. An appropriate\nlevel of redundancy is necessary for any system with a goal of high\navailability or reliability, including business practice, software application,\nor other industrial systems. Our review revealed\n\n\n\n\n                        Information Feeds Go Through\n                  The SEC\xe2\x80\x99s\n\n\n\n\n                information feeds located at the\n\n                                                                         The\ninitial information\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                      April 23, 2012\nReport No. 502\n                                   Page 20\n                           REDACTED PUBLIC VERSION\n\x0c       Recommendation 5:\n\n       The Office of Information Technology (OIT), in conjunction with the\n       primary program information users, should identify\n                                                                    at the\n       alternate locations should             be unavailable. Further, OIT\n       should review the Securities and Exchange Commission\xe2\x80\x99s (SEC) network\n       and topology to ensure there are\n\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 6:\n\n       The Office of Information Technology should ensure proper power\n       distribution\n\n\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program               April 23, 2012\nReport No. 502\n                                   Page 21\n                           REDACTED PUBLIC VERSION\n\x0c        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n\nFinding 3: The COOP Systems\xe2\x80\x99 Availability\nCategorization and Utilization Should be\nReviewed\n        Our review found inconsistencies between the availability\n        categorization of the systems reported to OMB under FISMA\n        and the recovery time objectives established for SEC COOP\n        systems.\n\nSEC Recovery Time Objectives are Not Consistent With FISMA\xe2\x80\x99s\nSystem Categorization for Availability\nEffective contingency planning begins with the development of an organization\ncontingency planning policy and subjection of each information system to a BIA.\nThis facilitates the prioritization of systems and processes based on the Federal\nInformation Processing Standard (FIPS) 199 impact level (utilized under FISMA)\nand develops priority recovery strategies for minimizing loss. FIPS 199 provides\nguidelines for determining information and information system impact to\norganizational operations and assets, individuals, other organizations, and the\nnation through a formula that examines the three security objectives of\nconfidentiality, integrity, and availability. 65 The highest rated of the three security\nobjectives determines the overall security categorization for the system of high,\nmoderate, or low, based upon the definitions contained in FIPS 199. 66\n\nBy reviewing the FISMA systems that the SEC reported to OMB for 2011, we\ndetermined that most of the SEC\xe2\x80\x99s FISMA-reportable systems have a system\nsecurity categorization of moderate, which indicates that the goal of system\navailability is no more than moderate and, in some cases, may be low.\nRecovery time objectives are the overall length of time an information system\xe2\x80\x99s\ncomponents can be in the recovery phase before the organization\xe2\x80\x99s mission or\nbusiness functions are negatively impacted. Our review found that some\nindividual system BIAs indicated a recovery time objective of               while\nthose same systems have only a security categorization of moderate under\nFISMA. Further, we found FISMA security systems categorized as moderate that\nwere listed with recovery time objective of             in the COOP BIA matrix\n\n65\n   NIST SP 800-34 Rev 1, Contingency Planning Guide for Federal Information Systems, May 2010, page 5,\nsection 2.1.\n66\n   NIST SP 800-34 Rev 1, Contingency Planning Guide for Federal Information Systems, May 2010, page 6,\nsection 2.1.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                   April 23, 2012\nReport No. 502\n                                      Page 22\n                              REDACTED PUBLIC VERSION\n\x0crecovery time objective document, even though the BIA stated a different\nrecovery time objective for those systems. For systems with a moderate to low\navailability as indicated by an overall FISMA security categorization of moderate,\nSEC COOP established recovery time objectives may be overly aggressive and\ncould result in unnecessary expense in documentation, testing, and\ninfrastructure. Finally, our examination of documents provided by SEC personnel\nreflecting their review of the externally hosted systems included in the SEC\xe2\x80\x99s\nFISMA-reportable systems identified some instances where the availability rating\nwas either low or not stated, while the SEC reported these systems under FISMA\nas having an availability rating of moderate.\n\nRecovery Time Objectives Need to Be Consistent with System\nFunctionality. As noted above, most SEC FISMA-reportable systems have a\nsystem security categorization of moderate. Moderate availability does not\ntypically indicate a recovery time objective of               such a short recovery\ntime is usually appropriate for systems with a high availability requirement. We\nalso found COOP documentation stating that communications and information\nsystems would be available within             at the alternate location after plan\nactivation and capable of supporting the continuation of SEC essential functions\nfor a period of up to 30 days, or until normal operations resume. An availability\nperiod of            does not correspond with individual system recovery time\nobjectives of\n\nSEC management indicated that availability goals for SEC systems are defined\nbased on FCD 1 and the SEC\xe2\x80\x99s definition of essential, mission essential, and\nprogram mission essential functions. These availability goals should be\nconsistent with the FISMA ratings and BIAs for the systems. However, we found\nSEC systems with a recovery time objective of                  which was\ninconsistent with the COOP documentation for these systems, as well as the\nFISMA categorization of the systems. For example, the NotiFind emergency\nnotification system has a MEF designation of immediate, but is being externally\nhosted at a location with an availability rating of moderate. Further, the SEC has\nno DRP for NotiFind or any records showing that testing has been conducted for\nthe system. We also found that there some systems listed as critical in the BIA\nMatrix Recovery Time Objectives even though the BIAs themselves state that the\nsystems are not critical.\n\nUnderutilization of                                                            The\nSEC\xe2\x80\x99s Disaster Recovery Planning Policy, OIT-00003-001.0, which was issued in\n2002, requires SEC personnel to maintain disaster recovery information in the\n        67\n           However,         is not being fully utilized for this objective at this\ntime. While         has been used for templates and some list keeping, the\n\n\n\n67\n     SEC Disaster Recovery Planning Policy, OIT-00003-001.0, August 6, 2002, page 2, section 7b.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                       April 23, 2012\nReport No. 502\n                                         Page 23\n                                 REDACTED PUBLIC VERSION\n\x0csystem has not been fully utilized, raising questions as to why it should be rated\ncritical for disaster recovery purposes or even retained. 68\n\n         Recommendation 7:\n\n         The Office of Freedom of Information Act, Records Management, and\n         Security, in conjunction with the Office of Information Technology and\n         system owners, should revise the Securities and Exchange Commission\n         (SEC) system recovery time objectives to specify more realistic\n         timeframes, based on the ability to transition to the alternate site, and then\n         determine acceptable recovery times. The recovery plan and priority of\n         recovery of the systems should be based on the overall mission of the\n         agency with a focus on real-time monitoring of the markets. Further, the\n         identification of high priority systems should focus on the immediate\n         mission of the agency, and systems documentation should also be\n         reviewed to ensure proper recovery priority is reflected based on the\n         contribution to the SEC\xe2\x80\x99s mission and functions.\n\n         Management Comments. OFRMS and OIT concurred with this\n         recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n         OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n         recommendation.\n\n         Recommendation 8:\n\n         For underutilized systems such as the\n                   the Office of Information Technology should consider\n         discontinuing maintenance, retiring the system, or alternatively making\n         more robust use of the system such that additional Commission funds are\n         not wasted on underutilized systems.\n\n         Management Comments. OIT concurred with this recommendation.\n         See Appendix VII for management\xe2\x80\x99s full comments.\n\n         OIG Analysis. We are pleased that OIT concurred with this\n         recommendation.\n\n\n\n\n68\n  OIT indicated that it was considering changing the rating of   to non-critical based upon its review of\nthat system.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                     April 23, 2012\nReport No. 502\n                                         Page 24\n                                 REDACTED PUBLIC VERSION\n\x0cFinding 4: Improvements Are Needed in Recovery\nfrom              and Related Testing\n           The regional offices\xe2\x80\x99 disaster recovery exercises do not\n           include restoration from               which is the primary\n           method used to restore regional office data, or from the\n                              that serves as the secondary recovery\n           method.       In addition, the current\n                      processes are insufficient.\n\nThe SEC Has Not Tested Recovery from\n\n\n\n\nAccording to the Contingency Planning Guide for Federal Information Systems,\n\xe2\x80\x9d[s]ystem data should be backed up regularly. Policies should specify the\nminimum frequency and scope of                (e.g., daily or weekly, incremental or\nfull) based on data criticality and the frequency that new information is\nintroduced. Data             policies should designate the location of stored data,\nfile-naming conventions, media rotation frequency, and method for transporting\ndata offsite.\xe2\x80\x9d 71 In addition, \xe2\x80\x9c         media should be stored offsite in a secure,\n                                        72\nenvironmentally controlled location.\xe2\x80\x9d\n\nThe Contingency Planning Guide for Federal Information Systems further\nprovides that testing is a critical element of a viable contingency capability.\n\xe2\x80\x9cTesting enables plan deficiencies to be identified and addressed by validating\none or more of the system components and the operability of the plan.\xe2\x80\x9d 73\n\nBy reviewing the FISMA systems the SEC reported to OMB for 2011, we\ndetermined that most of the SEC\xe2\x80\x99s FISMA reportable systems have a system\nsecurity categorization of moderate, which indicates that the availability is no\nmore than moderate and, in some cases, may be low. For a security\n\n\n\n69\n     As previously mentioned, the regional offices are                                      and\n      nagement expects to have this effort completed during 2012.\n\n\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010, page\n21, section 3.4.2.\n72\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010, page\n46, section 5.1.5.\n73\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010, page\n27, section 3.5.1.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                   April 23, 2012\nReport No. 502\n                                          Page 25\n                                  REDACTED PUBLIC VERSION\n\x0ccategorization of moderate impact, exercise procedures should be developed to\n                                                          74\ninclude an element of system recovery from\n\nThe SEC currently utilizes automated                          as the\n        for its SEC systems, although the SEC has plans to replace the\n                                  with a                        in the near future.\nWe found that SEC\xe2\x80\x99s regional offices have not tested system recovery from\n                and have not successfully transitioned to an alternate site. We\nalso identified several lessons learned reports from regional offices DRP testing\nexercises and open plans of action and milestones indicating issues and\nconcerns with the\n\nDifficulties with Data Restoration at the\n                As part of our review, we visited both the\n                             to observe the restoration or regularly\xe2\x80\x93scheduled\n         of    randomly selected systems.           of these systems were part of\nthe database storage area network. OIT staff indicated that in order to restore\nthese individual systems, the entire server hosting the multiple applications and\nsystems would have to be restored, which would have taken well over            hours\nto restore. For another group of systems we selected, OIT staff stated that the\n         of the application folder takes over      hours and it would take at least\nthat long to restore the systems. As a consequence, it was questionable whether\nthe indicated recovery time objectives for these systems of                 could be\nmet. Further, for the last of the     systems selected for testing, the\n                    OIT staff could not locate the\n         and indicated that the                               application was not\nbeing             . Finally, we found that OIT\xe2\x80\x99s June 2011 Headquarters disaster\nrecovery exercise did not include restoring or testing                  although\ntesting of the\n\nReview of Individual System and Regional Office        Procedures. In\norder to assess individual system     we reviewed BIAs for a random\nsample of    critical systems:\n\n\n\nOur review found the                                     system (a FISMA\nreportable system, even though it is a test system with only 6 to 8 users) was\nscheduled to be backed up biweekly, instead of in daily increments and weekly\n          per the DRP requirements. We also found that the COOP, DRP and\nBIA documents for\n      did not include language regarding\n       , there was no DRP for the               system, and the              BIA\n\n74\n  NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010, page\n30.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                  April 23, 2012\nReport No. 502\n                                      Page 26\n                              REDACTED PUBLIC VERSION\n\x0cdid not include any written        procedures. Because the\nis relying on the                      as its off-site     if operations shifted\nto the Alternate Data Center, these two systems would have to be rebuilt and any\ndata stored on them could be lost.\n\n         for the regional offices consists of          of their\n\n\n\n\n                                                               This process permits\nvirtually instantaneous transition to the         servers in the event of a disaster\nwarranting such action. It should be noted, however, that transition of service\nfrom the secondary site back to the primary site may take a significant amount of\ntime, depending on the number of changes made while operating from the\nsecondary site and the total amount of data involved. This potential delay in\nrestoring service back to the primary site is a factor that should be considered\nwhen deciding whether transition to a secondary location is justified during a\ndisaster situation. The\n                                  were established as                              for\nthe replication target servers, and these three locations host the regional office\n\n\nOur review of the documentation pertaining to the                          method\ndisclosed that there is no documented             and recovery plan for the\nreplication system\xe2\x80\x99s operations. We also determined that OIT operational groups\nwere not fully familiar with the recovery strategies, as indicated in disaster\nrecovery testing results. We concluded that the loss of a\ncould result in the loss of the replication support for               regional offices,\nand found that there are no procedures in place for reassigning the hosted\nreplication and recovery responsibilities. Based upon a review of the regional\noffice disaster recovery plan, we found that if a regional office\xe2\x80\x99s servers were\n                            as a result of a disaster recovery,\n                                                                for any non-affected\nregional offices. Additionally, we found that there were no policies and\nprocedures to provide for                 (which is the primary regional office\n         method) to be performed at the secondary transition site. Difficulties in\n                     could be encountered at the transition site as insufficient\ntapes might be available because the volume of data could increase to levels\ndramatically exceeding the transition sites\xe2\x80\x99 current capabilities.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                      April 23, 2012\nReport No. 502\n                                   Page 27\n                           REDACTED PUBLIC VERSION\n\x0cRegional Office                      May Not Be Readily Available. While the\nregional office transition sites (e.g., the\n                                        are capable of hosting systems for the SEC\xe2\x80\x99s\nregional offices in the event of a disaster recovery, we determined that the\nregional office transition sites may not have ready access to\n                                                          because they are kept at\n                         , per the disaster recovery plans. Additionally, we found\nthat eight regional offices\n                                                have not identified alternate\nlocations (or emergency operation centers) for SEC staff to work from during\ndisaster recovery and have not addressed in DRPs or disaster recovery testing\nthe procedures for remotely accessing information from the designated transition\nsite. Further, the regional office DRPs do not include the number of software\nlicenses for each product used for systems or a licensing strategy.\n\nSurvey Questions Concerning                   Access and Validation. We\nconducted an agency-wide survey to gather information on the staff\xe2\x80\x99s\nperspectives on the SEC\xe2\x80\x99s COOP, including the DRP, BCP, essential personnel,\nand OIT continuity-related activities, as well as the SEC\xe2\x80\x99s pandemic plan. The\nsurvey\xe2\x80\x99s overall response rate was over 70 percent. The survey results indicated\nthat there was insufficient understanding of the requirements for maintaining\nadequate              on the part of those responding to questions about           .\nSeventy-six percent of the 132 persons who responded to the pertinent survey\nquestion indicated that they knew where their division/office\xe2\x80\x99s                 was\nlocated, but only 30 percent of 130 respondents indicated that they could access\nthe             Further, 43 percent of 115 respondents indicated they had not\nverified that their critical data was being           within the last year or a\nlonger time period.\n\n       Recommendation 9:\n\n       The Office of Information Technology (OIT), in conjunction with system\n       owners, should identify the           requirements (e.g., files, data, and\n       system software) for all systems (at minimum, Federal Information\n       Security Management Act reportable systems). OIT should ensure that\n                requirements are documented, understood by the owner, and\n       published for future reference. Further, OIT should ensure system\n       software licenses and key requirements are included in\n       documentation, and the location of this information is known to ensure\n       restoration capability at the alternate location site.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                    April 23, 2012\nReport No. 502\n                                   Page 28\n                           REDACTED PUBLIC VERSION\n\x0c       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 10:\n\n       The Office of Information Technology, in conjunction with the regional\n       offices, should document the processes and procedures to be used in the\n       event that a regional office needs to restore its systems at a regional office\n       transition site, and the corresponding effect on the         procedures for\n       other regional offices that may need to use a regional office transition site\n       or alternate method to ensure recoverability.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 11:\n\n       The Office of Information Technology (OIT) should continue its efforts to\n       replace the regional office\xe2\x80\x99s tape         systems. Additionally, OIT\n       should define a           and recovery strategy for multi-hosted application\n       restoration for the regional offices. OIT should also document the system\n       specific files and database items, in order to facilitate the ability to restore\n       only necessary items, rather than the entire database, which could take\n       many hours to accomplish and is not in line with the recovery time\n       objectives for individual systems.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 12:\n\n       The Office of Information Technology should implement consistent and\n       appropriate         schedules for mission essential and Federal\n       Information System Management Act reportable systems, including daily,\n       weekly, and monthly          processes and procedures, to ensure these\n       systems are recoverable.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                       April 23, 2012\nReport No. 502\n                                   Page 29\n                           REDACTED PUBLIC VERSION\n\x0c       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 13:\n\n       The Office of Information Technology should include in the Disaster\n       Recovery Plan and Business Continuity Plan, testing steps that are\n       designed to ensure the restoration from         media that is consistent\n       with the requirements for systems that are rated as moderate, in\n       accordance with the National Institute of Standards and Technology\n       guidance under the Federal Information Systems Management Act.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n\nFinding 5: Remote Access/Telework Testing Was\nNot Included in the SEC\xe2\x80\x99s DRP and Pandemic\nPlan Testing\n       There is no evidence that remote access (user access from\n       non-office locations) was tested during the DRP and\n       pandemic plan testing that was conducted from 2007 to\n       2011.\n\nThe SEC is Not Fully Testing Remote Access/Telework for All\nEssential Personnel on a Regular Basis\n\nFederal legislation has placed a priority on telework. For example, on December\n8, 2004, Congress enacted Public Law 108-447, which required the SEC to\ncertify within two months that telecommuting opportunities were made available\nto 100 percent of the eligible workforce. On December 9, 2010, the Telework\nEnhancement Act of 2010, Public Law 111-292, was enacted, which required\nthat, within 180 days, executive agencies establish a telework policy authorizing\ntelework for all eligible employees, determine the eligibility of all employees to\nparticipate in telework programs, and notify all employees of their eligibility to\ntelework. The Telework Enhancement Act of 2010 also required agencies to\nincorporate telework into their COOP plans.\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                  April 23, 2012\nReport No. 502\n                                   Page 30\n                           REDACTED PUBLIC VERSION\n\x0cAn effective telework program requires that employees be able to access the\nSEC network remotely. The SEC has established two primary methods for\nremote access: (1) the use of a token to acquire virtual private network (VPN)\n                                                                           75\naccess; (2) the use of a\nThrough VPN and/or           SEC personnel and contractors can gain access to\ntheir e-mail, network applications,           sites, network data files, and their\ndesktops. The SEC has issued           tokens for access through VPN and\n               SEC staff who have been identified as essential personnel under\nthe SEC\xe2\x80\x99s COOP are required to have remote network access capability through\nboth of these two primary methods.\n\nBased upon a review of COOP documents including those found on the\n     we identified personnel: (a) listed as essential who no longer work at the\nSEC, (b) listed as essential who have not been issued remote access devices,\nand (c) who were issued devices and have not tested them. Documentation\nrelated to COOP 2009 testing indicated that remote access testing was included\nas part of that exercise. 76 Further, our review of COOP and disaster recovery\ntest plans and reports reflected that while there was some end-user testing\nconducted during disaster recovery, there was no indication that users were\nlogging into the                                      from a telework or other\nalternate work site.\n\nEssential Personnel             Access. Our review found that some essential\npersonnel who had been issued            devices have never logged in or have not\nlogged in remotely within the past year and, therefore, have not effectively tested\ntheir ability to log in during an unscheduled event. Of     identified essential\npersonnel,         have been issued                 We reviewed system log\nextracts to determine whether those essential personnel had utilized their remote\n       access and found                                    had not logged onto the\nSEC\xe2\x80\x99s network remotely since March 2010. Further, we found that          of the\n                                                     77\nhad never logged onto the SEC\xe2\x80\x99s network remotely.\n\nRemote access to the SEC\xe2\x80\x99s network serves as an important contingency\ncapability in the event of an emergency or serious system disruption by providing\naccess to SEC data for recovery teams or users from another location. If remote\nconnectivity is not tested regularly, connectivity may be difficult during an event.\n\n\n\n\n75\n   While the SEC has other methods of remote access, such as\n              we focused our review on                  because these methods are more appropriate for\nconducting business activities lasting up to 30 days.\n76\n   We received this documentation after our fieldwork was completed.\n77\n   Of the                     that OIT has issued to SEC contractors and employees as of December 2011,\nwe found that 167 (11.2 percent) of the recipients had not logged onto SEC\xe2\x80\x99s network since March 2010.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                    April 23, 2012\nReport No. 502\n                                       Page 31\n                               REDACTED PUBLIC VERSION\n\x0cEssential Personnel VPN Access. To review VPN access, we randomly\nselected    of the    essential personnel78 and found that     (70 percent)\nhad not logged onto the SEC\xe2\x80\x99s network through VPN since May 2010.\n\nIn addition, TWM encountered difficulties for establishing remote access to the\nSEC network. In fact, it took TWM over two months to fully establish VPN\naccess and connectivity on laptops running three different operating systems.\nWe found that while the remote access environment is equipped to support the\nmajority of the SEC users, there are issues that need to be resolved with\ndirection and support of configurations for the end user. Therefore, end users\nmust review, configure, and test their remote access capabilities on a scheduled\nbasis to ensure that their systems are operational if activation is required during\nan event.\n\nIdentification of Remote Access for Five Systems Revealed Problems. We\nrandomly selected five of the COOP identified critical systems\n\n\n\nFor the systems selected, we compared the identified number of system users\ncontained in the DRP or BIA documents with the number of users who have been\nissued remote access devices according to the applicable group or function. We\nfound that 60 percent of the user base was not immediately identifiable as having\nremote access. For one system, no information was available concerning the\nnumber of system users. We found that two systems had adequate remote\naccess based on the user base.\n\nRemote Access to Desktops Could Be Improved. We found that SEC\ncontractors and employees who use SEC workstation-specific applications\nremotely must ensure that their office desktop computers (or laptops if left at the\noffice) are turned on. Further, our survey of SEC personnel and contractors\ndetermined that 570 of 1,871 respondents (30.5 percent) indicated that their\nremote access of SEC computer systems required the normal worksite desktop\nor laptop to be left on, while 276 of 1,871 respondents (14.8 percent) were\nunsure as to whether the desktop or laptop had to be left on. Additionally, if the\npower is out at the SEC\xe2\x80\x99s office locations, contractors and employees who have\nworkstation-specific software cannot access their desktops remotely. We found\nthat remote access capabilities would be enhanced if remote access to desktop\napplications could function even if the user\xe2\x80\x99s desktop computer was turned off or\ndid not have power.\n\n\n\n\n78\n  OIT could not readily determine how many of the   identified essential personnel had been issued\ntokens for remote VPN access.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                    April 23, 2012\nReport No. 502\n                                       Page 32\n                               REDACTED PUBLIC VERSION\n\x0cTeleworking and Remote Access Not Defined in COOP Documents. We\nobserved that the SEC\xe2\x80\x99s COOP documents do not clearly define when\nteleworking may be used for COOP activities or which staff members who have\nnot been identified as essential personnel are allowed to telework. Our survey\nrevealed that 934 of 2,334 of respondents (40 percent) did not know if they were\nrequired to work from an alternate worksite during an unscheduled event.\nFurther, 417 respondents indicated that they were required to go to an alternate\nworksite during an unscheduled event, and 215 respondents indicated that they\nknew the location of their alternate worksite. Of these 215 respondents, 75 (34.9\npercent) identified their \xe2\x80\x9chome or residence,\xe2\x80\x9d as the alternate worksite. These\nresponses imply that these individuals are scheduled to telework during an event\neven though this option is not specified in the COOP documents.\n\nPandemic Specific Remote Access Requires Testing. The SEC has a\npandemic plan and its remote access capabilities appear to be adequate for this\npurpose. Specifically, we found that the remote access architecture of the SEC\ncould handle the estimated 40 percent absenteeism rate during a pandemic\n(approximately        personnel) 79 as       remote access tokens have been\nissued to provide access to the servers at the Operations Center and the\nAlternate Data Center, and the remote access servers are designed to handle\nmore than 5,000 users at each location. However, we found that the annual\nremote access testing specified in the pandemic plan has not occurred.\n\n        Recommendation 14:\n\n        The Office of Information Technology should ensure that remote access\n        testing is included as part of all Continuity of Operations Program, disaster\n        recovery and pandemic testing activities, including those performed in the\n        regional offices, to ensure that essential personnel and a sample of the\n        representative users of the system are able to function remotely during an\n        unscheduled event.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VII for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n\n\n\n79\n  According to the Interagency Statement on Pandemic Planning, page 6, absenteeism may reach 40\npercent during the peak weeks of a community outbreak during a severe pandemic. The estimate of\n                                                                 listed as required to take the annual\nonline COOP training for 2011.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                       April 23, 2012\nReport No. 502\n                                        Page 33\n                                REDACTED PUBLIC VERSION\n\x0c       Recommendation 15:\n\n       The Office of Information Technology (OIT), in consultation with the Office\n       of Freedom of Information Act, Records Management and Security\n       (OFRMS), should require semiannual testing of remote access devices to\n       ensure up-to-date connectivity and ability for both essential personnel and\n       non-essential personnel to access the Commission\xe2\x80\x99s network. In addition,\n       OIT and OFRMS should implement a system notification warning prior to\n       the connectivity testing date and then disable those devices that are not\n       updated.\n\n       Management Comments. OIT and OFRMS concurred with this\n       recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT and OFRMS concurred with this\n       recommendation.\n\n       Recommendation 16:\n\n       The Office of Freedom of Information Act, Records Management, and\n       Security and the Office of Information Technology should consider\n       implementation of alternate remote access solutions and/or internal\n       directory structure that\n                                                                  and Federal\n       Information Security Management Act reportable systems.\n\n       Management Comments. OFRMS and OIT concurred with this\n       recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n       recommendation.\n\n       Recommendation 17:\n\n       The Office of Freedom of Information Act, Records Management and\n       Security and the Office of Information Technology should update the\n       Continuity of Operations Program (COOP) documents and necessary\n       agreements to appropriately reflect authorized telework activities by\n       Commission personnel during unscheduled events under the COOP,\n       disaster recovery and pandemic plans, including equipment that will be\n       used for teleworking in such circumstances.\n\n       Management Comments. OFRMS and OIT concurred with this\n       recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                  April 23, 2012\nReport No. 502\n                                   Page 34\n                           REDACTED PUBLIC VERSION\n\x0c        OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n        recommendation.\n\n\nFinding 6: COOP and Disaster Recovery Testing\nActivities Can Be Improved\n        The SEC is not testing all of its DRPs annually. Past DRP\n        testing did not include the \xe2\x80\x9crecovery phase\xe2\x80\x9d and\n        \xe2\x80\x9creconstitution phase.\xe2\x80\x9d Further, not all test, training, and\n        exercise activities identified in NIST SP 800-53 guidance for\n        a FISMA security categorization rating of moderate is being\n        conducted. Further, the regional offices have not tested\n        restoration to an alternate site, and the pandemic plan has\n        not been tested since 2007.\n\nThe SEC\xe2\x80\x99s COOP and DRP Testing Activities Need Improvement\nAnnex K to FCD 1 provides as follows regarding the testing, training an exercise\nof an agency\xe2\x80\x99s COOP:\n\n        The testing, training, and exercising of continuity capabilities is\n        essential to demonstrating, assessing, and improving an agency\xe2\x80\x99s\n        ability to execute its continuity program, plans, and procedures.\n        Training familiarizes continuity personnel with their roles and\n        responsibilities in support of the performance of an agency\xe2\x80\x99s\n        essential functions during a continuity event. Tests and exercises\n        serve to assess, validate, or identify for subsequent correction, all\n        components of continuity plans, policies, procedures, systems, and\n        facilities used in response to a continuity event. Periodic testing\n        also ensures that equipment and procedures are kept in a constant\n        state of readiness. 80\n\nTwo elements of disaster recovery, the recovery phase and the reconstitution\nphase, are often overlooked in disaster recovery testing activities. The recovery\nphase is the \xe2\x80\x9cimplementation of prioritized actions required to return an\norganization\xe2\x80\x99s processes and support functions to operational stability following\nan interruption or disaster.\xe2\x80\x9d 81 Second, the reconstitution phase is the \xe2\x80\x9cprocess by\nwhich surviving and/or replacement organization personnel resume normal\nagency operations from the original or replacement primary operating facility.\xe2\x80\x9d 82\nFurther, OMB\xe2\x80\x99s guidance to agencies on FISMA reporting for Fiscal year 2011\n\n80\n   Federal Continuity Directive 1 (FCD1), February 2008, Annex K, page K-1.\n81\n   Federal Continuity Directive 1 (FCD1), February 2008, Annex, page P-8.\n82\n   Federal Continuity Directive 1 (FCD1), February 2008, Appendix P, page P-8.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                             April 23, 2012\nReport No. 502\n                                       Page 35\n                               REDACTED PUBLIC VERSION\n\x0cprovides that all agency information systems, including those operated by a\ncontractor or other organization on the agency\xe2\x80\x99s behalf, must be tested at least\nannually. 83 As noted above, agencies are required to categorize systems subject\nto FISMA based upon the three security objectives of confidentiality, integrity,\nand availability, and the highest rating of the three objectives determines the\noverall system security impact rating of high, moderate or low. The Contingency\nPlanning Guide for Federal Information Systems specifies that a functional\nexercise at an organization-defined frequency should be conducted for\nmoderate-impact systems. 84 \xe2\x80\x9cThe functional exercise should include all ISCP\npoints of contact and be facilitated by the system owner or responsible authority.\nExercise procedures should be developed to include an element of system\nrecovery from                 .\xe2\x80\x9d 85\n\nDRP Testing Does Not Currently Include All Systems. In the course of our\nreview, we learned that during the SEC\xe2\x80\x99s June 2011, disaster recovery testing\nexercise,         SEC systems were identified for testing. 86 Of these\nsystems,     were shown as passing from the end user testing,        of which were\nexternal systems\n                                             system failed; and were not actually\ntested. There were no results listed for the remaining      systems, which were\nnot scheduled to be included in the testing.\n\nWe further found that     (39.5 percent) internal systems were not included\nin the                          failover testing that took place in June 2011\nand November 2011. These systems included:\n\n\n\n\n83\n   OMB Memorandum for Heads of Executive Departments and Agencies on FY 2011 Reporting Instructions\nfor the Federal Information Security Management Act and Agency Privacy Management, M-11-33,\nSeptember 14, 2011, FY 2011 Frequently Asked questions on Reporting for the Federal Information Security\nManagement Act and Agency Privacy management, page 11, Answer to Question 8. See also 44 U.S.C. \xc2\xa7\n344(b)(5)(requiring agencies to perform \xe2\x80\x9cperiodic testing and evaluation of the effectiveness of information\n84\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010, page\n30.\n85\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010, page\n30.\n86\n   While some additional systems were tested in the November 2011 disaster recovery exercise, the results\nof this testing were not available at the time TWM performed its fieldwork.\n87\n   The SEC is transitioning from the                                          to a shared service provider.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                        April 23, 2012\nReport No. 502\n                                        Page 36\n                                REDACTED PUBLIC VERSION\n\x0cWe also found           (40.8 percent) active systems did not have a DRP testing\ndate scheduled at the time TWM completed its fieldwork for this review. These\nsystems included:\n\n\n\n\nInsufficient DRP Testing for Regional Offices and Externally Hosted\nSystems. We found that DRPs for seven regional offices\n                                                              have not been tested\nannually, and two regional offices                                  did not include\nrecovery phase testing in their most recent disaster recovery test plans. Also\nseven regional offices\n                     did not include reconstitution phase testing in their latest\ndisaster recovery test plans. Further, we found that the regional offices are not\ntesting any element (e.g., a file or data record) from the system\xe2\x80\x99s\nfor systems with a moderate security rating.\n\nMoreover, the regional offices disaster recovery plan exercises that took place\nfrom 2008 to 2011 were simulated, paper exercises and did not perform full\nfunctional testing of the equipment, such as transition to an alternate data center\nor restoration from                Comprehensive testing, which confirms that\ninformation technology operations can be restored at a                in the event\nof an extended power failure at the primary site, should be conducted periodically\nto ensure that the plans are reasonable, effective, and complete, and that\npersonnel know what their roles and responsibilities are in the enactment of the\nplans. 89\n\n\n\n88\n   OIT informed us that the                                                      is not in production\nhowever, this system was reported to OMB under FISMA.\n89\n   NIST 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, September\n2006, page 6-2.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                      April 23, 2012\nReport No. 502\n                                       Page 37\n                               REDACTED PUBLIC VERSION\n\x0cAn externally hosted system is a system or application that is operated outside\nthe SEC network and is not managed by SEC. OIT reviewed the externally\nhosted system documentation provided by external entities (both federal and\nprivate) for disaster recovery and contingency planning activities through the\ncertification and accreditation process. Our review of this information revealed\nthat the                 for      externally hosted system,\nwas not stored in a secure, offsite, environmentally-controlled location. We\nfurther found that another externally hosted system,\n                             , could be unavailable for up to two weeks and that this\ninformation was taken into account in determining the recovery time objectives\nfor dependent systems. Based upon the documentation provided, we found that\nthe externally hosted systems did not have regular disaster recovery exercises.\n\nEssential Personnel Have Not Sufficiently Participated in Testing. The SEC\nhas indicated in its OIT contingency plan that the COOP and disaster recovery\ntesting exercise participation satisfies the requirement to ensure a trained\nworkforce is available to support the SEC\xe2\x80\x99s mission critical functions during and\nfollowing a disaster. However, our review of the 2011 annual COOP testing and\nexercise documentation, including attendee sign-in sheets, revealed that only\n        (3.1 percent) persons identified as essential personnel under the COOP\nattended that exercise. We found that this did not constitute an adequate\nparticipation level to ensure that essential personnel receive proper training.\n\nOur review also did not find a sufficient level of participation by regional office\nessential personnel in disaster recovery testing to ensure that they are\nadequately trained. We found that seven regional offices\n                                                          identified essential\npersonnel in their COOP supplement. By comparing this information to disaster\nrecovery testing reports, sign-in sheets, and other related data, we determined\nthat approximately 88 percent of personnel identified as essential, did not\nparticipate in DRP testing. The remaining four regional offices\n                                   did not identify their essential personnel in their\nCOOP supplement, so we were unable to determine whether their essential\npersonnel participated in DRP testing. We concluded that regional office\nessential personnel have not been trained sufficiently in their roles and\nresponsibilities under the COOP, disaster recovery, business continuity and\npandemic plans.\n\nSystem Functionality Has Not Been Fully Tested in Connection with\nDisaster Recovery Plans. DRPs for many of the SEC\xe2\x80\x99s systems included\nspecific scripts to be used to verify system operation and functionality when the\nsystem is being established at an alternate site. We reviewed the annual\ndisaster recovery testing documentation for 2007 to 2011, for       randomly\nselected systems, which included the disaster recovery test results, lessons\nlearned, and script results. We found that disaster recovery plan scripts for\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                      April 23, 2012\nReport No. 502\n                                   Page 38\n                           REDACTED PUBLIC VERSION\n\x0c                                                                     were\nincluded in the documentation for the annual disaster recovery exercise, although\nfrom the available documentation we could not determined if the scripts were\nused during the exercises or if the results were reviewed. We found that the\nother       systems were not included in the annual disaster recovery testing.\n\nProblems Identified with Communication Channels for Essential Personnel.\nSEC COOP Program documents indicated to ensure communication channels\nare clear and available during an event, essential personnel are to be issued\n        elevated communication cards:\n\n        We found that                            essential personnel do not have\n      cards, and that                         essential personnel do not have\n     cards. We also found that                              Commission\nusers were not identified as essential personnel, and           users were not in\nthe SEC Directory indicating that they may no longer be with the SEC.\n\nPandemic Plan Testing Is Not Conducted Regularly. We also found that the\nlast SEC Pandemic Flu Exercise was conducted in September, October, and\nNovember of 2007. Further, the Pandemic Flu exercises did not include remote\naccess testing and was only a paper questionnaire analysis. Pandemic plans\nshould be tested regularly and remain relevant to the scope and complexity of\nthe organization\xe2\x80\x99s operations.\n\n       Recommendation 18:\n\n       The Office of Freedom of Information Act, Records Management, and\n       Security and the Office of Information Technology should ensure that the\n       agency\xe2\x80\x99s disaster recovery testing includes the Commissions mission\n       essential and Federal Information Security Management Act reportable\n       systems and pandemic plan testing is conducted on a regular basis.\n\n       Management Comments. OFRMS and OIT concurred with this\n       recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n       recommendation.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                  April 23, 2012\nReport No. 502\n                                   Page 39\n                           REDACTED PUBLIC VERSION\n\x0c       Recommendation 19:\n\n       The Office of Information Technology (OIT) should determine aspects of\n       continuity of operations disaster recovery and business continuity plan\n       testing that should be conducted annually for regional offices and for\n       Federal Information Security Management Act reportable systems based\n       upon their security categorization. OIT should ensure that this testing\n       includes the recovery phase and the reconstitution phase, as well as a\n       restoration from                .\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 20:\n\n       The Office of Information Technology should add elements to contracts\n       and service level agreements for externally hosted systems to provide\n       appropriate methods by which the Securities and Exchange Commission\n       (SEC) can obtain assurance that appropriate disaster recovery plan\n       testing is performed on mission essential and Federal Information Security\n       Management Act reportable systems and to ensure the systems are able\n       to function during unscheduled events. Such measures may include SEC\n       participation in the disaster recovery plan testing for the externally hosted\n       systems and/or a review of the results of such testing.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 21:\n\n       The Office of Information Technology should include elements of testing\n       from an alternate site in the regional office continuity of operations\n       program, disaster recovery, and business continuity plan testing on a\n       periodic basis to ensure the necessary capability and functionality for\n       regional office activities are in place.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                    April 23, 2012\nReport No. 502\n                                   Page 40\n                           REDACTED PUBLIC VERSION\n\x0c       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 22:\n\n       The Office of Freedom of Information Act, Records Management and\n       Security and the Office of Information Technology should include\n       designated essential personnel for systems, divisions/offices, and regional\n       offices in COOP and disaster recovery testing to ensure that a trained\n       workforce is available to support the SEC\xe2\x80\x99s mission critical functions\n       following a disaster.\n\n       Management Comments. OFRMS and OIT concurred with this\n       recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n       recommendation.\n\n       Recommendation 23:\n\n       The Office of Information Technology should ensure that system specific\n       scripts and test scenarios are included in the disaster recovery and\n       business continuity plan testing activities to provide assurance of system\n       functionality at alternate locations.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 24:\n\n       The Office of Freedom of Information Act, Records Management, and\n       Security (OFRMS) and the Office of Information Technology (OIT) should\n       reassess the definition of essential personnel to ensure that this\n       designation includes only personnel whose services are needed during an\n       event to establish mission essential system connectivity and conduct\n       essential activities until normal operations are resumed. OFRMS and OIT\n       should also develop policies and procedures to ensure that elevated\n       communication cards are distributed only to necessary personnel, cards\n       are disabled upon an employee\xe2\x80\x99s departure from the agency, and all\n       essential personnel have appropriate elevated communication cards.\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                   April 23, 2012\nReport No. 502\n                                   Page 41\n                           REDACTED PUBLIC VERSION\n\x0c           Management Comments. OFRMS and OIT concurred with this\n           recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n           OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n           recommendation.\n\n\nFinding 7: Alternate Work Locations Need to Be\nRealistic, Maintained in a Ready State, and\nCommunicated to Staff\n           It may be difficult for\n\n\n                                                              In addition,\n           eight regional offices have not specified alternate locations in\n           their COOP supplements. Further, alternate work locations\n           must be ready for access and use as required and staff need\n           to be provided with more information about their alternative\n           work site.\n\nRealistic Alternate Work Locations Need to Be Selected, Kept Ready in the\nEvent They Are Needed, and Better Communicated to Staff\n\nAs part of continuity planning, all agencies must identify alternate facilities;\nalternate uses for existing facilities; and, as appropriate, virtual office options\nincluding telework. Risk assessments should be conducted on these facilities to\nprovide reliable and comprehensive data to inform risk mitigation decisions that\nwill allow agencies to protect assets, systems, networks, and functions while\ndetermining the likely causes and impacts of any disruption. All agency\npersonnel shall be briefed on agency continuity plans that involve using, or\nrelocating personnel to, alternate facilities, existing facilities, or virtual offices.\nContinuity personnel must be provided with supplemental training and guidance\non relocation procedures. 90\n\nWe found that eight regional offices\n                                                          have not identified\nalternate facilities (whether physical or telecommuting) in their COOP\nsupplements or DRPs. Additionally, while the SEC\xe2\x80\x99s draft overall COOP plan\nidentifies alternate worksites for essential personnel, there are no designated\nalternate worksite locations (whether physical or telecommuting) for\n         personnel and non-essential                 personnel. Further, the\n\n90\n     Federal Continuity Directive 1 (FCD 1), February 2008, page 8.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                          April 23, 2012\nReport No. 502\n                                          Page 42\n                                  REDACTED PUBLIC VERSION\n\x0cCOOP supplements and DRPs do not include all alternate site and travel\nlogistics for the regional offices,            personnel, and non-essential\n                personnel. 91\n\nFCD 1 further provides, at Annex K, that an agency\xe2\x80\x99s test program must include,\namong other things, \xe2\x80\x9d[t]esting and validating equipment to ensure the internal and\nexternal interoperability and viability of communications systems, through\nmonthly testing of the continuity communications capabilities outlined in Annex H\n(e.g., secure and nonsecure voice and data communications).\xe2\x80\x9d92 We found that\nthe immediate alternate site for the\n               has outdated equipment that is locked\nhas not been connected to SEC\xe2\x80\x99s network for quite some time.\n\nDepending on the circumstances of an emergency event, SEC essential\nfunctions will be relocated to the one of three alternate work locations:\n\n                                                                    Traffic to the\n                                 from the Headquarters location in Washington,\nD.C., during an unscheduled event could become extremely difficult, making it\nunlikely that these destinations could be reached within             (which the\nBIAs for many systems indicates the desirable time frame after an event for\nsystems to become operational). 93\n\nAlternate Work Sites Are Not Sufficiently Ready. The SEC must be prepared\nto address events that could disrupt Headquarters operations with a flexible and\nscalable response. Although it is not possible to anticipate all scenarios that\nwould put the SEC Headquarters at risk; the SEC\n     \xe2\x80\x94which supports overall SEC COOP planning\xe2\x80\x94should ensure a\ncoordinated response to most scenarios. While the SEC COOP Plan addresses\na wide variety of potentially disruptive scenarios, the\n      focuses on catastrophic and/or widespread incidents and events that may\noccur\xe2\x80\x94with or without warning\xe2\x80\x94and render Headquarters personnel incapable\nof or unavailable to perform essential functions. The\n      notes that the Headquarters division/office points of contacts shall, at a\nminimum, annually review personnel and resources at the devolution sites to\nensure their ability to assume devolution responsibilities.\n\n\n\n91\n   As noted above, we found that the draft overall COOP plan, has limited discussion on teleworking and\ndoes not adequately address telework options (in lieu of alternate worksites) as part of the COOP process.\n92\n   Federal Continuity Directive 1 (FCD 1), February 2008, Appendix K, page K-1.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                        April 23, 2012\nReport No. 502\n                                        Page 43\n                                REDACTED PUBLIC VERSION\n\x0cDuring our review, we were informed that the SEC\xe2\x80\x99s devolution sites,\n                                                        were not up-to-date. In\nparticular, we learned that the equipment available at these sites was out-of-date\nand could not be used with the SEC network due to\nFurther, the SEC\xe2\x80\x99s COOP plan indicates that there are         workstations/work\nareas available at the                            where emergency response\npersonnel are to relocate in the event of an emergency. However, we were\nprovided with updated space availability information as of January 2012, which\nindicated there are a total of                                        in the entire\nbuilding. The COOP plan documentation on space availability needs to be\nrevised to reflect current space availability and needs, taking into account the\npotential for telework and remote access.\n\nUpdated Accessibility to Alternate Work Sites. Alternate work sites require\npre-arranged activities, including lists of who can access the site, what\nequipment can remain at the premises, communication and connectivity\ninformation, and office furniture. Access to the\n                                                               security system.\nThrough discussions with SEC personnel, we learned that in order for SEC\npersonnel to gain access to the                       they must be cleared and on\nthe access list maintained at the                         site. We were further\ninformed that the access list for SEC personnel is not current due to the transition\nin COOP personnel and COOP responsibilities.\n\nAccess Problems Identified During Prearranged Visit to the\n          In December 2011, TWM conducted a prearranged visit to\n                   During this visit, TWM found that assigned SEC personnel\ncould not readily access the                           because their access codes\nhad expired. For example, we observed that the access code for one SEC staff\nmember had expired. Further, we learned that two other staff members had to\nhave their access codes reset because they had expired. This occurs when a\nperson does not visit the facility on at least a quarterly basis. We also found that\nthe process for resetting expired access codes required communication with the\n                         point-of-contact and the SEC\xe2\x80\x99s point-of-contact, who, at\nthat time happened to be on site. Expired codes could prove to be a problem if\nan actual event occurs and the necessary points of contact are not on site.\n\nSurvey Responses Indicate Staff Need to Be Provided with More\nInformation About Their Alternate Work Locations. In our SEC agency-wide\nsurvey, we questioned SEC employees and contractors regarding their\npreparation and readiness for COOP activities, including notification of events\nand alternate work locations.\n\nThe survey results revealed that 174 of 2,386 (7.3 percent) respondents\nindicated they did not know the method by which they would be notified of an\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                    April 23, 2012\nReport No. 502\n                                   Page 44\n                           REDACTED PUBLIC VERSION\n\x0cevent. Three of those 174 respondents were self-identified essential personnel.\nThese responses raise concerns that some SEC personnel, including essential\npersonnel, will not be notified of events because the SEC\xe2\x80\x99s primary method of\nnotifying employees of an unscheduled event is the                   which\nrequires self-registration.\n\nOur survey further found that 100 of 417 (24 percent) of respondents who\nindicated they were required to work from an alternate worksite in the event of a\ninterruption, did not know the location of their alternate worksite. In addition, 294\nof 417 (70.5 percent) respondents did not know whether their families could\ntravel with them to the alternate work site. Further, in answering questions\nspecifically pertaining to regional office alternate worksite locations, 57 of 210\n(27.1 percent) respondents indicated that they did not know their alternate\nworksite locations, and two respondents, in the comment portion of the survey,\nidentified their alternate worksite location as the public library. In addition, 2 of\n32 (6.3 percent) regional office essential personnel who responded) indicated\nthat they did not have an alternate work site location. 94\n\n         Recommendation 25:\n\n         The Office of Freedom of Information Act, Records Management, and\n         Security, in conjunction with the regional offices, should specify alternate\n         work locations for which the necessary logistics, such as memoranda of\n         agreement, service level agreements, or credit card limits for hotel\n         conference rooms or other locations, are arranged in advance.\n\n         Management Comments. OFRMS concurred with this recommendation.\n         See Appendix VII for management\xe2\x80\x99s full comments.\n\n         OIG Analysis. We are pleased that OFRMS concurred with this\n         recommendation.\n\n\n\n\n94\n  Some regional office respondents indicated they would use another non-SEC federal government\nlocation, but the details were not formalized. Our review of SEC COOP plan documents revealed that there\nwere no regional office Memoranda of Agreement, Memoranda of Understanding or Service Level\nAgreements to ensure that a viable location for regional office alternate worksites would be available during\nan unscheduled event. See Finding 10 below.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                          April 23, 2012\nReport No. 502\n                                         Page 45\n                                 REDACTED PUBLIC VERSION\n\x0c       Recommendation 26:\n\n       The Office of Freedom of Information Act, Records Management, and\n       Security should categorize essential personnel according to necessary\n       functions, based on various realistic scenarios (such as Headquarters or\n       Operations Center locations becoming inaccessible or not operational,\n       including traffic conditions that would affect the scenario). Possible\n       categories include personnel required for immediate activities, personnel\n       needed to establish connections at the alternate site, and personnel\n       needed to work remotely at designated alternate sites such as their\n       homes, hotels, or other specified locations.\n\n       Management Comments. OFRMS concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OFRMS concurred with this\n       recommendation.\n\n       Recommendation 27:\n\n       The Office of Freedom of Information Act, Records Management, and\n       Security, as part of its planning efforts, should specify when Commission\n       personnel are to telework after an event and when they must go to the\n       designated alternate locations instead of teleworking.\n\n       Management Comments. OFRMS concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OFRMS concurred with this\n       recommendation.\n\n       Recommendation 28:\n\n       The Office of Freedom of Information Act, Records Management, and\n       Security and the Office of Information Technology should define migration\n       paths from the                     should it become inaccessible and\n       specify where the alternate worksite\n\n\n       Management Comments. OFRMS and OIT concurred with this\n       recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n       recommendation.\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                  April 23, 2012\nReport No. 502\n                                   Page 46\n                           REDACTED PUBLIC VERSION\n\x0c       Recommendation 29:\n\n       The Office of Freedom of Information Act, Records Management, and\n       Security and the Office of Information Technology, should ensure that the\n       designated Headquarters alternate worksites are ready for use and\n       contain sufficient equipment and technology resources. In addition,\n       COOP plan documentation should be revised to reflect current space\n       availability and needs, taking into account the potential for telework and\n       remote access.\n\n       Management Comments. OFRMS and OIT concurred with this\n       recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n       recommendation.\n\n       Recommendation 30:\n\n       The Office of Freedom of Information Act, Records Management, and\n       Security and the Office of Information Technology should ensure that\n       designated alternate worksite locations are visited and tested periodically\n       to ensure ready access and use. Appropriate steps should be taken to\n       ensure that any cards or badges required for entry to alternate worksite\n       locations are kept up to date and have not expired.\n\n       Management Comments. OFRMS and OIT concurred with this\n       recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n       recommendation.\n\n       Recommendation 31:\n\n       The Office of Information Technology (OIT) should reinforce the need for\n       Securities and Exchange Commission (SEC) personnel and contractors to\n       register in the agency\xe2\x80\x99s emergency notification system, which is\n       designated as the primary method of notifying employees during a\n       continuity of operations or pandemic event. OIT should also implement\n       procedures to ensure the removal of personnel from the emergency\n       notification system after they leave the SEC.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                   April 23, 2012\nReport No. 502\n                                   Page 47\n                           REDACTED PUBLIC VERSION\n\x0c        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n        Recommendation 32:\n\n        The Office of Freedom of Information Act, Records Management, and\n        Security and the Office of Information Technology should clearly define in\n        the continuity of operations, disaster recovery, and business continuity\n        plan documentation the alternate worksite or telework locations for both\n        essential and non-essential personnel. This documentation should also\n        clarify whether, when relocating to an alternate site is required, family\n        members may accompany Commission employees and contractors to the\n        relocation site, consistent with federal regulations.\n\n        Management Comments. OFRMS and OIT concurred with this\n        recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n        recommendation.\n\n\nFinding 8: Plans of Action and Milestones\n(POA&M) Need to Be Complete and Up-to-Date\n        While the SEC\xe2\x80\x99s COOP and disaster recovery plan test\n        reports list identified issues, areas for improvement, and\n        recommended corrective actions; the identified issues and\n        recommendations were not included in POA&Ms. Also, the\n        regional office POA&Ms have not been updated.\n\nSEC POA&M Maintenance Needs to Be Improved\n\nAs stated in the NIST Special Publication 800-53, POA&M \xe2\x80\x9care developed and\nmaintained for the program management and common controls that are deemed\nthrough assessment to be less than effective.\xe2\x80\x9d 95 The POA&M \xe2\x80\x9cis a key\ndocument in the security authorization package and is subject to federal reporting\nrequirements established by OMB.\xe2\x80\x9d 96\n\nThe SEC performs DRP testing for each regional office infrastructure and\nindividual system applications. All the regional office\xe2\x80\x99s DRPs state that POA&Ms\n\n95\n   NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems and\nOrganizations, August 2009, Appendix G, page G-1,\n96\n   NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems and\nOrganizations, August 2009, Appendix F-CA, page F-35.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                  April 23, 2012\nReport No. 502\n                                      Page 48\n                              REDACTED PUBLIC VERSION\n\x0cwill be created. Our review found 39.5 percent of the recommendations\ngenerated during the regional office DRP testing could not be tracked to POA&M\nand were not identified as having been resolved in the updated DRPs (dates\nranging from 2010 to 2011). Further, we found that at least two items identified\nin the annual Headquarters COOP testing that should have been included as\nPOA&M items (submission of filings gap during testing of\n         , and order of startup for production servers on Business Objective 11\nsystem).\n\nRegional Office POA&Ms Are Not Updated. We also found that eight regional\noffices\n                   have not updated their DRPs to include recommendations that\nwere identified in DRP testing. Specific items of issue or concern listed in the\nregional office disaster recovery test plans and evaluation reports included,\namong other things, required server migration and the need for updated Tips,\nComplaints, and Referrals system DRPs. The issues that were identified in the\ntesting have not been addressed in a post-exercise activity or included as\nPOA&Ms. While corrective actions were noted that would require a POA&M,\nnone was present. All recommendations generated during COOP, DRP, BCP\nand pandemic testing should be included in the POA&M. Otherwise,\nrecommendations could go unresolved and encumber the recovery of a system\nduring an event.\n\nRegional POA&Ms Were Not Properly Closed Out. Further, we found that all\nthe SEC\xe2\x80\x99s regional office\xe2\x80\x99s POA&M items that were shown to be open should\nreflect a status of closed, according to information provided to the TWM. An\nissue identified in an April 2010 exercise conducted by one regional office was\nthe need to update the POA&M process specifically to include actions required to\ncorrect any problems or issues identified during the April 2010 exercise. There\nwere also several open POA&M items from the December 2008 and June 2009\ndisaster recovery exercises that required evaluation by management to ensure\nfinal corrective actions are implemented.\n\n       Recommendation 33:\n\n       The Office of Freedom of Information Act, Records Management, and\n       Security and the Office of Information Technology should ensure that\n       recommendations made as a result of the continuity of operations,\n       disaster recovery, business continuity and pandemic testing are included\n       in a management corrective action plan (CAP) and is maintained in the\n       CAP until it is resolved.\n\n       Management Comments. OFRMS and OIT concurred with this\n       recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                 April 23, 2012\nReport No. 502\n                                   Page 49\n                           REDACTED PUBLIC VERSION\n\x0c        OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n        recommendation.\n\n        Recommendation 34:\n\n        The Office of Information Technology (OIT) should ensure that open\n        POA&M items from previous years are evaluated by management and\n        final corrective actions are implemented to close the items.\n\n        Management Comments. OIT and OFRMS concurred with this\n        recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n\nFinding 9: Additional Training and Cross-Training\nof COOP Personnel is Required\n        The SEC\xe2\x80\x99s COOP and disaster recovery exercises do not\n        include the majority of the designated essential personnel.\n        In addition the high concentration of personnel at SEC\n        Headquarters may not provide for adequate geographic\n        dispersion of trained personnel.\n\nSEC COOP-Related Training and Cross-Training Need to Be\nImproved\nThe Contingency Planning Guide for Federal Information Systems provides as\nfollows: \xe2\x80\x9cTraining for personnel with contingency plan responsibilities should\nfocus on familiarizing them with ISCP roles and teaching skills necessary to\naccomplish those roles. This approach helps ensure that staff is prepared to\nparticipate in tests and exercises as well as actual outage events. Training\nshould be provided at least annually.\xe2\x80\x9d 97\n\nSEC division and office heads select essential personnel based upon the\nfollowing factors: (1) the predetermined essential functions that must be\nperformed, regardless of the operational status of the SEC\xe2\x80\x99s primary operating\nfacility, (2) the staff members\xe2\x80\x99 knowledge and expertise in performing these\n\n97\n   NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010, page\n28. Under NIST SP 800-53, an organization should incorporate simulated events into contingency training\nto facilitate effective response by personnel during crisis situations. NIST SP 800-53 Rev. 3, Recommended\nSecurity Controls for Federal Information Systems and Organizations, May 2010, Appendix F-CP, page F-\n48.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                      April 23, 2012\nReport No. 502\n                                       Page 50\n                               REDACTED PUBLIC VERSION\n\x0cessential functions, and (3) the members\xe2\x80\x99 ability to rapidly deploy to the\nrelocation site in an emergency situation. The SEC has designated\nindividuals as essential personnel.\n\nAs discussed above, the SEC has chosen to eliminate the BCP, indicating that its\nelements are already contained in the DRP and BIAs. As a consequence, the\nSEC\xe2\x80\x99s DRP exercises are primarily viewed as information technology exercises.\nAs training and exercises cover the same topics, the SEC uses exercises to\nsatisfy the training requirement in an effort to reduce the number of hours\ndevoted to these activities. 98 The SEC is using the participation in regional office\nDRP exercises to satisfy the requirement to train essential personnel both for the\nCOOP plan and the DRP. As noted above, we found through testing that on\naverage, 88 percent of regional office essential personnel did not participate in\nDRP training or exercises between 2008 and 2011. This indicates that a large\npercentage of regional office essential personnel may not have been sufficiently\ntrained in their roles and responsibilities during a disaster recovery event. As a\nconsequence, essential personnel may not be able to perform their\nresponsibilities during the activation of the DRP.\n\nWe also reviewed individual system disaster recovery testing by randomly\nselecting         internally hosted SEC systems. The systems selected\nincluded:\n                                                                         We\nidentified 14 Points of Contact (POC) from the DRPs for these systems, and\nfound that 9 POCs had not participated in the DRP testing or training for their\nsystems. Additionally, for COOP testing, we could not verify who had\nparticipated in the testing or training based on the available documentation for\n2010 and 2011 (i.e., Eagle Horizon test plans, Headquarters computer based\ntraining, and related Eagle Horizon testing documents).\n\nWhile OIT personnel are participating in DRP exercises, many key essential\npersonnel are not participating in DRP exercises and, therefore, have not\nreceived the appropriate role-based training for their part in DRP and COOP\nactivities. 99 Instead, they only had the annual refresher online training course.\nFurther, we found that             SEC staff members deployed to the\n                         and were involved in supporting the 2011 Eagle Horizon\nexercise. The COOP exercises that have been conducted by OFRMS primarily\nincluded OIT personnel as the participants, and the testing conducted shows the\n98\n   \xe2\x80\x9cTraining provides the skills and familiarizes leadership and staff with the procedures and tasks they must\nperform in executing continuity plans,\xe2\x80\x9d while \xe2\x80\x9c[t]ests and exercises serve to assess and validate all the\ncomponents of continuity plans, policies, procedures, systems, and facilities used to respond to and recover\nfrom an emergency situation and identify issues for subsequent improvement.\xe2\x80\x9d Federal Continuity Directive\n1 (FCD 1), February 2008, page 10.\n99\n   Training personnel before an exercise or test event is typically split between a presentation on their roles\nand responsibilities and activities that allow personnel to demonstrate their understanding of the subject\nmatter. NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities,\nSeptember 2006, page ES-2.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                           April 23, 2012\nReport No. 502\n                                         Page 51\n                                 REDACTED PUBLIC VERSION\n\x0cability for the                                                   to exercise the\nbasic failover of the systems. However, the same OIT personnel are being\ntrained and there has not been sufficient testing for events that would require the\nparticipation of essential and senior personnel, in addition to system owners.\n\nA key continuity concept identified in FCD 1 is geographic dispersion of an\norganization\xe2\x80\x99s normal daily operations, which \xe2\x80\x9ccan significantly enhance an\norganization\xe2\x80\x99s resilience and recue the risk of losing the capability to perform\nessential functions. Geographic dispersion of leadership, data storage,\npersonnel, and other capabilities may be essential to the performance of\nessential functions following a catastrophic event and will enable operational\ncontinuity during an event that requires social distancing (e.g., pandemic\ninfluenza).\xe2\x80\x9d 100\n\nWe estimated that based on the distribution of SEC personnel throughout the\ncountry (applying a 40 percent anticipated absenteeism rate 101 to        SEC\npersonnel listed as required to take the annual online COOP training for 2011),\nthere would be          potentially absent personnel. We estimated that      would\nbe absent from the geographically dispersed regional offices, while the remaining\n     would be absent from the D.C. metropolitan area where the SEC\xe2\x80\x99s\nHeadquarters is located. It seems likely that there is sufficient geographic\ndispersion of personnel and functions among the SEC regional offices, which\nperform similar activities. However, the high concentration of personnel at the\nHeadquarters location may not provide for adequate geographic dispersion of\ntrained personnel, such that additional cross-training of personnel may be\nwarranted.\n\n        Recommendation 35:\n\n        The Office of Freedom of Information Act, Records Management, and\n        Security and the Office of Information Technology should ensure that\n        continuity of operations, disaster recovery, and business continuity plan\n        training occur prior to annual tests exercises or events as recommended\n        by NIST Special Publication 800-84, Guide to Test, Training, and Exercise\n        Programs for Information Technology Plans and Capabilities, in order to\n        ensure that individuals are prepared for their specific roles during a\n        disaster recovery event.\n\n        Management Comments. OFRMS and OIT concurred with this\n        recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n\n\n100\n   Federal Continuity Directive 1 (FCD1), February 2008, page 4\n101\n   In a severe pandemic, absenteeism may reach 40 percent during the peak weeks of a community\noutbreak. Interagency Statement on Pandemic Planning, page 6.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                  April 23, 2012\nReport No. 502\n                                      Page 52\n                              REDACTED PUBLIC VERSION\n\x0c           OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n           recommendation.\n\n           Recommendation 36:\n\n           The Office of Freedom of Information Act, Records Management, and\n           Security, in conjunction with the Office of Human Resources, the Office of\n           Information Technology, and the various divisions and offices, should\n           consider, consistent with federal personnel regulations, if there is the\n           ability to cross-train regional office personnel in functions that are\n           performed exclusively at the Commission Headquarters and regional\n           offices and, if so, should define these functions and implement procedures\n           for cross-training personnel for mission essential functions in the case of a\n           COOP or pandemic event.\n\n           Management Comments. OFRMS and OIT concurred with this\n           recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n           OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n           recommendation.\n\n\nFinding 10: Necessary Memoranda Of Agreement,\nMemoranda Of Understanding, and Service-Level\nAgreements Were Not Present or Are Outdated\n           The SEC does not have current Memoranda of Agreement\n           (MOA), Memoranda of Understanding (MOU), or Service-\n           Level Agreements (SLA) that are typically included as\n           appendices to agency COOP or DRP plans so they are\n           easily accessible during an event.\n\nAlternate Worksite MOU/MOA/SLA Were Not Present or Are Out-\nof-Date\nThe use of formal alternate worksite locations at other federal agencies or private\nentities often requires the use of MOUs/MOA or SLAs. For example, \xe2\x80\x9c[t]wo or\nmore organizations with similar or identical system configurations and\ntechnologies may enter into a formal agreement to serve as alternate sites for\neach other or enter into a joint contract for an alternate site. This type of site is\nset up via a reciprocal agreement or [MOU].\xe2\x80\x9d 102 However, \xe2\x80\x9c[a] reciprocal\n\n102\n      NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010, page\n23.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                     April 23, 2012\nReport No. 502\n                                         Page 53\n                                 REDACTED PUBLIC VERSION\n\x0cagreement should be entered into carefully because each site must be able to\nsupport the other, in addition to its own workload, in the event of a disaster. This\ntype of agreement requires the recovery sequence for the systems from both\norganizations to be prioritized from a joint perspective, favorable to both parties.\nTesting should be conducted at the partnering sites to evaluate the extra\nprocessing thresholds, compatible system and              configurations, sufficient\ntelecommunications connections, compatible security measures, and the\nsensitivity of data that might be accessible by other privileged users, in addition\nto functionality of the recovery strategy.\xe2\x80\x9d 103\n\nDuring our review of the SEC\xe2\x80\x99s COOP documents we did not identify any current\n(i.e., updated within the last three years) existing MOUs, MOAs or SLAs for\nalternate worksite locations, vendors, or services to be obtained or used during\nan event. We identified an outdated MOU (entered into in 2006) with the\n\n        which the SEC no longer uses as an alternate work site. We further\nfound that the outdated     MOU did not list the staff that was to be contacted in\na COOP event.\n\nFurther, we found that neither the SEC\xe2\x80\x99s overall COOP plan, nor the OIT\ncontingency plan includes contract provisions for obtaining hardware, software,\nor services for emergencies. Further, the COOP documents we reviewed did not\naddress the use of government purchase cards to obtain needed hardware,\nsoftware, or services in the event of COOP activation, in lieu of MOUs, MOAs or\nSLAs. Subsequent to the issuance of the discussion draft report for this review,\nwe obtained and reviewed two random service contracts. While we found\nappropriate language were in these contracts, we were not provided with enough\ncontracts so that a sample number of the population could be properly test.\nTherefore, we could not firmly conclude that the required contractual language is\ncontained in similar type contracts.\n\nWe also reviewed the regional office base DRP (which is to be augmented by the\nindividual regional offices), as well as the regional offices DRP supplements. We\nfound that none of these plans included any MOUs, MOAs or SLAs. Our review\nof the regional office base DRP disclosed that the regional offices are to use\navailable equipment from OIT or other regional offices during COOP activation.\nWhile this may be a cost effective solution, it can also be inefficient and\nineffective because the unutilized equipment contained in the disaster recovery\nplan hardware inventory lists may not be up-to-date or available. Moreover, it is\nunlikely that property transfers would be completed properly given that personnel\nwould already taxed with the implementation of a DRP. Further, regional office\n\n\n  .\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                    April 23, 2012\nReport No. 502\n                                   Page 54\n                           REDACTED PUBLIC VERSION\n\x0cpersonnel may be reluctant to part with equipment until they are satisfied that the\nDRP event will not also affect them and they have reviewed their own DRP\nrequirements.\n\nFinally, our review found that OIT\xe2\x80\x99s contingency plan did not include MOUs,\nMOAs or SLAs for externally hosted systems. Rather, the plan merely noted that\ndata communication lines are used to connect to these systems and that they fall\nunder the cognizance of the general support system. Subsequent to the exit\nmeeting, one externally hosted system contract document was obtained and\nappropriate service level metrics and availability language were included.\n\n       Recommendation 37:\n\n       The Office of Freedom of Information Act, Records Management, and\n       Security and the Office of Information Technology, in conjunction with the\n       Office of Administrative Services and the Office of the General Counsel,\n       should document that the necessary contractual agreements and/or\n       provisions are in place to ensure the availability of hardware, software,\n       and services that may be required during an emergency. The use of\n       government credit cards to procure such equipment and services should\n       also be considered and documented. If government credit cards are to be\n       used for this purpose, the authorized limits established should be sufficient\n       for such purchases.\n\n       Management Comments. OFRMS and OIT concurred with this\n       recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n       recommendation.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                    April 23, 2012\nReport No. 502\n                                   Page 55\n                           REDACTED PUBLIC VERSION\n\x0c       Recommendation 38:\n\n       The Office of Freedom of Information Act, Records Management, and\n       Security and the Office of Information Technology, in conjunction with the\n       regional offices, the Office of Administrative Services, the Office of\n       Financial Management, and the Office of the General Counsel, should\n       ensure that an appropriate and updated Memoranda of Agreement,\n       Memoranda of Understanding and Service-Level Agreements are\n       executed to provide for alternate work site locations, capabilities, and\n       accommodations that may be necessary to ensure continuity of\n       operations.\n\n       Management Comments. OFRMS and OIT concurred with this\n       recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OFRMS and OIT concurred with this\n       recommendation.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                  April 23, 2012\nReport No. 502\n                                   Page 56\n                           REDACTED PUBLIC VERSION\n\x0c                                                                    Appendix I\n\n\n                                Abbreviations\n\n\n          Business Continuity Plan                     BCP\n          Business Impact Analysis                     BIA\n          Chief Operating Officer                      COO\n          Continuity of Operations Program             COOP\n\n          Disaster Recovery Plan                       DRP\n\n\n\n          eXtensible Business Reporting Language       XBRL\n          Federal Continuity Directive                 FCD\n          Federal Information Processing Standard      FIPS\n          Federal Information Security Management      FISMA\n          Act\n\n\n          Information System Contingency Plan          ISCP\n          Information Technology                       IT\n          Information Technology Contingency Plan      ITCP\n\n          Memorandum of Agreement                      MOA\n          Memorandum of Understanding                  MOU\n          Mission Essential Functions                  MEF\n          National Institute of Standards and          NIST\n          Technology\n          Office of Freedom of Information Act,        OFRMS\n          Records Management and Security\n          Office of Inspector General                  OIG\n          Office of Security Services                  OSS\n          Plans of Action and Milestones               POA&M\n          Points of Contact                            POC\n          Primary Mission Essential Function           PMEF\n          Service Level Agreement                      SLA\n          TWM Associates, Inc.                         TWM\n          U.S. Securities and Exchange Commission      SEC or\n                                                       Commission\n          Virtual Private Network                      VPN\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                April 23, 2012\nReport No. 502\n                                   Page 57\n                           REDACTED PUBLIC VERSION\n\x0c                                                                                           Appendix II\n\n\n         List of Issues Indentified in Review of\n         Disaster Recovery and Continuity of\n                    Operations Plans\n\n         1. All 13 DRPs (Headquarters, Operations Center, and the\n            regional offices)105 did not have a review and approval date\n            entered.\n         2. Ten regional office DRPs\n\n                               did not include risk management.\n         3.   No regional office DRPs included information for budget and\n              acquisition of resources.\n         4.   Five of 13 DRPs\n                                                  did not include an order of\n              succession.\n         5.   All 13 DRPs did not include concurrent processing.\n         6.   One regional office            did not include recovery priority.\n         7.   Seven of 13 DRPs\n                                                     included BIAs that did not\n              appear to be current.\n         8.   Ten of 13 DRPs\n\n                       did not include access control policies and\n            procedures.\n         9. Ten of 13 DRPs\n\n                             did not include all alternate facilities.\n         10. All 13 DRPs did not include all alternate site use and travel\n             logistics.\n         11. The regional office\xe2\x80\x99s DRPs had template language that lacked\n             complete information.\n         12. Six of 13 DRPs\n                            contained vital records information that did not\n             appear to be current.\n         13. Five of 13 DRPs\n                             hard copy vital records without any alternate\n             source.\n105\n    While we found that the                                       did not specifically have DRPs, for the\npurposes of this Appendix, the main overall SEC COOP document is considered to be the Headquarters\nDRP, and the OIT contingency plan (i.e., the GSS ISCP) is considered to be the Operations Center DRP.\nWe also reviewed the regional office base plan and the regional office COOP supplements to determine if\nthey included any of the required information.\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                                        April 23, 2012\nReport No. 502\n                                        Page 58\n                                REDACTED PUBLIC VERSION\n\x0c                                                                        Appendix II\n\n\n       14. Eleven of 13 DRPs\n\n                       did not include original or new site restoration\n           procedures.\n       15. Three of 13 DRPs\n           did not include personnel and vendor contact lists.\n       16. Two of 13 DRPs                                              had\n           incomplete personnel and vendor contact lists.\n       17. The regional office\xe2\x80\x99s DRPs did not include information on\n           relocation of personnel, relocation of families of personnel,\n           alternate site operating procedures or assumptions.\n       18. All 13 DRPs did not include MOA, MOUs or SLAs.\n       19. The overall COOP document and the OIT contingency plan\n           were under revision, as indicated by the water mark of the word\n           documents, the list of essential personnel was under revision,\n           and the plans did not include a list of vendor information for all\n           divisions and offices.\n       20. The overall COOP document and the OIT contingency plan\n           contained an incomplete order of succession.\n       21. The recovery procedures in the overall COOP document and\n           the OIT contingency plan\xe2\x80\x99s did not include additional notification\n           procedures for more recovery staff, messages and status\n           updates to leadership.\n       22. The reconstitution procedures in the overall COOP document\n           and the OIT contingency plan did not include procedures for\n           notifications of return to normal operations or a system full\n\n       23. The overall COOP plan document did not include logistics for\n           the Alternate Data Center.\n       24. Twelve of 13 DRPs\n\n                                                        did not include\n           operating system version levels for software inventory, as\n           recommended by NIST SP 800-34.\n       25. All 13 DRPs did not include processors, memory, storage\n           requirements in equipment inventory, as recommended by NIST\n           SP 800-34.\n       26. The regional office base DRP\xe2\x80\x99s reconstitution phase did not\n           include concurrent processing or offsite data storage return.\n       27. For all regional office DRPs, the signature pages were not\n           signed or dated, and the DRPs included a large amount of\n           template wording.\n       28. For 10 of 13 DRPs\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                    April 23, 2012\nReport No. 502\n                                   Page 59\n                           REDACTED PUBLIC VERSION\n\x0c                                                                           Appendix II\n\n\n                   the signature pages did not include the designated Crisis\n           Management Team and/or information technology specialist.\n       29. All regional office DRPs had incomplete sections, such as a\n                                                  that was not updated.\n       30. For 8 of 13 DRPs\n                                                         the\n           shutdown/startup procedures were a template and did not\n           include all network devices listed in the\n\n       31. For 10 of 13 DRPs\n\n                               Appendix H: Emergency Operation Center\n           Locations had not been completed.\n       32. For 8 of the 13 DRPs\n                                                                       Alternate\n           Enhanced Redirect Solutions-authorized personnel were not\n           included.\n       33. For 1 of 13 DRPs                     shutdown/startup procedures\n           was a template with incomplete name and floor fields.\n       34. For 8 of 13 DRPs\n                                                             the emergency\n           communication policies and procedures were sample\n           procedures and had not been completed.\n       35. One of 13 DRPs                  did not reflect the changes identified\n           in the BIA after action report.\n       36. Three regional office COOP plan supplements did not provide\n           all, if any, of the required information.\n       37. Six regional office COOP spreadsheet supplements\n                                                                     id not\n           appear to be current.\n       38. Contracts or related documentation were not provided to\n           support provisions in the overall COOP plan document\n           reference emergency provisions.\n       39. Systems with lower recovery priorities were listed to be\n           recovered before systems with more critical recovery\n           requirements.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                        April 23, 2012\nReport No. 502\n                                   Page 60\n                           REDACTED PUBLIC VERSION\n\x0c                                                       Appendix III\n\n\n              List of Issues Identified\n          From Sample Testing of System\n       Disaster Recovery Plan and Business\n            Impact Analysis Documents\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program    April 23, 2012\nReport No. 502\n                                   Page 61\n                           REDACTED PUBLIC VERSION\n\x0c                                                       Appendix III\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program    April 23, 2012\nReport No. 502\n                                   Page 62\n                           REDACTED PUBLIC VERSION\n\x0c                                                       Appendix III\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program    April 23, 2012\nReport No. 502\n                                   Page 63\n                           REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix IV\n\n\n                        Scope and Methodology\n\nThe full version of this report includes information that the SEC considers to be\nsensitive or proprietary. To create this public version of the report, OIG redacted\n(blacked out) potentially sensitive, proprietary information from the report.\n\nScope. The initial scope of TWM\xe2\x80\x99s reviewed covered calendar years 2009\nthrough 2011. However, during our review and requests for support\ndocumentation, OIT and OSS provided TWM with some data that was dated prior\nto calendar year 2009. Specifically, we reviewed documentation to support the\nSEC\xe2\x80\x99s COOP that was dated from 2007 through 2011.\n\nWe conducted our fieldwork from October 2011 to January 2012.\n\nFurther, we obtained information from OIT concerning the SEC\xe2\x80\x99s FISMA\nreportable systems for the universe of the SEC\xe2\x80\x99s systems. For each of the\nidentified systems and SEC facilities, we obtained supporting artifacts (i.e.,\nCOOP plans, DRPs, BIAs, essential personnel lists, list of          users, list of\n       users, system log access extracts, etc.) to the extent they were available.\nWe surveyed the Commission\xe2\x80\x99s employees and contractors regarding their\npreparation and readiness for COOP, DRP, BCP, and pandemic activities. We\nobtained information showing the status of SEC\xe2\x80\x99s implementation of prior OIG\naudit recommendations relevant to COOP and determined there were no\nadditional applicable risk areas or potential findings and recommendations\noutside of the existing audit program steps for this review. We also observed\nand visited the\n\nMethodology. To meet the overall objective to assess the adequacy of the\nSEC\xe2\x80\x99s COOP, we reviewed the SEC\xe2\x80\x99s policies and procedures governing COOP,\nDRP, BCP and pandemic activities, documentation showing implementation of\nthose activities, and documents reflecting supporting activities for implementation\nof these programs. We also reviewed relevant documentation for individual\nsystems, Headquarters divisions and offices, regional offices, as well as the\nOperations Center and the Alternate Data Center. In addition, we held\ndiscussions with personnel to learn about the SEC\xe2\x80\x99s COOP and to discuss and\nconfirm our findings and recommendations.\n\nWe conducted detailed testing to determine the viability of the SEC\xe2\x80\x99s COOP,\nDRP, BCP, and pandemic functions and whether the Commission is complying\nwith its policies and procedures in these areas. We also performed testing to\nmeasure the effectiveness of the implemented procedures.\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                    April 23, 2012\nReport No. 502\n                                   Page 64\n                           REDACTED PUBLIC VERSION\n\x0c                                                                    Appendix IV\n\n\nManagement Controls. We reviewed the Commission\xe2\x80\x99s FISMA POA&M items\nthat document control weaknesses related to COOP, DRP, BCP and pandemic\nactivities to determine the impact on the existing review program procedures for\nthis review.\n\nPrior Audit Coverage\n\n   \xe2\x80\xa2   2011 Annual FISMA Executive Summary Report, OIG Report No. 501,\n       February 2, 2012\n   \xe2\x80\xa2   Review of Alternative Work Arrangements, Overtime Compensation, and\n       COOP-Related Activities at the SEC, OIG Report No. Number 491,\n       September 28, 2011\n   \xe2\x80\xa2   Assessment of SEC\xe2\x80\x99s Continuous Monitoring Program, OIG Report No.\n       497, August 11, 2011\n   \xe2\x80\xa2   2010 Annual FISMA Executive Summary Report, OIG Report No. 489,\n       March 3, 2011\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                  April 23, 2012\nReport No. 502\n                                   Page 65\n                           REDACTED PUBLIC VERSION\n\x0c                                                                    Appendix V\n\n\n                                       Criteria\n\nFederal Information Security Management Act of 2002, Title III, Pub. L. No.\n107-347. Requires federal agencies to develop, document, and implement an\nagency-wide program providing security for the information and information\nsystems that support the operations and assets of the agency, including those\nprovide or managed by another agency, contractor, or other source.\n\nOMB Memorandum 11-33, FY 2011 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management,\nSeptember 14, 2011. Provides instructions to agencies for meeting Fiscal Year\n2011 reporting requirements under FISMA.\n\nNIST Special Publication 800-34, Rev. 1, Contingency Planning Guide for\nFederal Information Systems, May 2010. Provides instructions,\nrecommendations, and considerations for federal government information system\ncontingency planning.\n\nNIST Special Publication 800-53, Rev. 3, Recommended Security Controls\nfor Federal Information systems and Organizations, August 2009. Defines\nsecurity controls recommended for use by organizations in protecting their\ninformation systems that should be employed as part of a well-defined and\ndocumented information security program.\n\nFederal Continuity Directive 1 (FCD 1), Federal Executive Branch National\nContinuity Program and Requirements, Issued by the Department of\nHomeland Security, February 2008. Provides direction to the federal executive\nbranch for developing continuity plans and programs.\n\nFederal Continuity Directive 2 (FCD 2), Federal Executive Branch Mission\nEssential Function and Primary Mission Essential Function Identification\nand Submission Process, February 2008. Implements the requirements of\nFCD 1, Annex C, and provides guidance and direction to federal executive\nbranch departments and agencies for identification of their MEFs and potential\nPMEFs.\n\nNational Strategy for Pandemic Influenza Implementation Plan, Issued by\nthe Homeland security Council, May 2006. Provides a high-level overview of\nthe approach that the federal government will take to prepare for and respond to\na pandemic.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                 April 23, 2012\nReport No. 502\n                                   Page 66\n                           REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix V\n\n\nInteragency statement on Pandemic Planning, Issued by the Federal\nFinancial Institutions Examination Executive Council Agencies. Provides\nguidance to remind financial institutions that BCPs should address the threat of a\npandemic influenza outbreak.\n\nSEC OIT Operating Directive 24-04.09 (02.0), IT Security Business\nContinuity Management Program, August 23, 2011. Establishes policy and\nresponsibilities for business continuity management consistent with requirements\nprescribed by FISMA and the SEC\xe2\x80\x99s Information Technology Security Program.\n\nSEC OIT Implementing Instruction 24-04.09.01 (02.0), Business Impact\nAnalysis, August 22, 2011. Defines the SEC\xe2\x80\x99s process and establishes\nresponsibilities for conducting a BIA as directed in Operation Directive 24-04.09.\n\nSEC OIT Disaster Recovery Planning Policy, OIT-00003-001.0, August 6,\n2002. Maintains the OIT DRP for its infrastructure at the SEC\xe2\x80\x99s Operations\nCenter, Headquarters, and regional offices.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                   April 23, 2012\nReport No. 502\n                                   Page 67\n                           REDACTED PUBLIC VERSION\n\x0c                                                                     Appendix VI\n\n\n                      List of Recommendations\n\nRecommendation 1:\n\nThe Office of the Chief Operating Officer should ensure that the Office of\nFreedom of Information Act, Records Management and Security completes its\nreview of the agency-wide continuity of operations program (COOP) to ensure\nthe Commission\xe2\x80\x99s COOP is comprehensive, cohesive, and in compliance with\nfederal guidance.\n\nRecommendation 2:\n\nThe Office of Freedom of Information Act, Records Management, and Security\nshould revise and update the Commission\xe2\x80\x99s continuity of operations program\npolicies and procedures to ensure they are comprehensive, complete, and up-to-\ndate.\n\nRecommendation 3:\n\nThe Office of Freedom of Information Act, Records Management, and Security\n(OFRMS) and Office of Information Technology (OIT), in conjunction with the\nprogram divisions/offices and regional offices, should update, revise and finalize\nall continuity of operations program (COOP) documents, including the overall\nHeadquarters COOP plan, individual division/office COOP plans, regional office\nCOOP supplements, disaster recovery plans, business continuity plans and\nbusiness impact analyses, and pandemic plans supplements. OFRMS and OIT\nshould ensure these documents are complete and include all the necessary\nelements, and that they properly define the Commission\xe2\x80\x99s essential functions. In\naddition, processes should be implemented to ensure annual review and\napproval of these documents.\n\nRecommendation 4:\n\nThe Office of Freedom of Information Act, Records Management, and Security, in\nconjunction with program and regional offices, should ensure that vital records\nand lines of succession are properly identified, documented and readily available\nduring continuity events.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                   April 23, 2012\nReport No. 502\n                                   Page 68\n                           REDACTED PUBLIC VERSION\n\x0c                                                                     Appendix VI\n\n\nRecommendation 5:\n\nThe Office of Information Technology (OIT), in conjunction with the primary\nprogram information users, should identify\n                                                 at the alternate locations should\n               be unavailable. Further, OIT should review the Securities and\nExchange Commission\xe2\x80\x99s (SEC) network and topology to ensure there are\n\n\nRecommendation 6:\n\nThe Office of Information Technology should ensure proper power distribution\n\n\n\n\nRecommendation 7:\n\nThe Office of Freedom of Information Act, Records Management, and Security, in\nconjunction with the Office of Information Technology and system owners, should\nrevise the Securities and Exchange Commission (SEC) system recovery time\nobjectives to specify more realistic timeframes, based on the ability to transition\nto the alternate site, and then determine acceptable recovery times. The\nrecovery plan and priority of recovery of the systems should be based on the\noverall mission of the agency with a focus on real-time monitoring of the markets.\nFurther, the identification of high priority systems should focus on the immediate\nmission of the agency, and systems documentation should also be reviewed to\nensure proper recovery priority is reflected based on the contribution to the\nSEC\xe2\x80\x99s mission and functions.\n\nRecommendation 8:\n\nFor underutilized systems such as the\n         the Office of Information Technology should consider discontinuing\nmaintenance, retiring the system, or alternatively making more robust use of the\nsystem such that additional Commission funds are not wasted on underutilized\nsystems.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                   April 23, 2012\nReport No. 502\n                                   Page 69\n                           REDACTED PUBLIC VERSION\n\x0c                                                                        Appendix VI\n\n\nRecommendation 9:\n\nThe Office of Information Technology (OIT), in conjunction with system owners,\nshould identify the        requirements (e.g., files, data, and system software)\nfor all systems (at minimum, Federal Information Security Management Act\nreportable systems). OIT should ensure that              requirements are\ndocumented, understood by the owner, and published for future reference.\nFurther, OIT should ensure system software licenses and key requirements are\nincluded in          documentation, and the location of this information is known\nto ensure restoration capability at the alternate location site.\n\nRecommendation 10:\n\nThe Office of Information Technology, in conjunction with the regional offices,\nshould document the processes and procedures to be used in the event that a\nregional office needs to restore its systems at a regional office transition site, and\nthe corresponding effect on the           procedures for other regional offices that\nmay need to use a regional office transition site or alternate method to ensure\nrecoverability.\n\nRecommendation 11:\n\nThe Office of Information Technology (OIT) should continue its efforts to replace\nthe regional office\xe2\x80\x99s tape          systems. Additionally, OIT should define a\n         and recovery strategy for multi-hosted application restoration for the\nregional offices. OIT should also document the system specific files and\ndatabase items, in order to facilitate the ability to restore only necessary items,\nrather than the entire database, which could take many hours to accomplish and\nis not in line with the recovery time objectives for individual systems.\n\nRecommendation 12:\n\nThe Office of Information Technology should implement consistent and\nappropriate         schedules for mission essential and Federal Information\nSystem Management Act reportable systems, including daily, weekly, and\nmonthly          processes and procedures, to ensure these systems are\nrecoverable.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                      April 23, 2012\nReport No. 502\n                                   Page 70\n                           REDACTED PUBLIC VERSION\n\x0c                                                                     Appendix VI\n\n\nRecommendation 13:\n\nThe Office of Information Technology should include in the Disaster Recovery\nPlan and Business Continuity Plan, testing steps that are designed to ensure the\nrestoration from               that is consistent with the requirements for\nsystems that are rated as moderate, in accordance with the National Institute of\nStandards and Technology guidance under the Federal Information Systems\nManagement Act.\n\nRecommendation 14:\n\nThe Office of Information Technology should ensure that remote access testing is\nincluded as part of all Continuity of Operations Program, disaster recovery and\npandemic testing activities, including those performed in the regional offices, to\nensure that essential personnel and a sample of the representative users of the\nsystem are able to function remotely during an unscheduled event.\n\nRecommendation 15:\n\nThe Office of Information Technology (OIT), in consultation with the Office of\nFreedom of Information Act, Records Management and Security (OFRMS),\nshould require semiannual testing of remote access devices to ensure up-to-date\nconnectivity and ability for both essential personnel and non-essential personnel\nto access the Commission\xe2\x80\x99s network. In addition, OIT and OFRMS should\nimplement a system notification warning prior to the connectivity testing date and\nthen disable those devices that are not updated.\n\nRecommendation 16:\n\nThe Office of Freedom of Information Act, Records Management, and Security\nand the Office of Information Technology should consider implementation of\nalternate remote access solutions and/or internal directory structure\n\n                        and Federal Information Security Management Act\nreportable systems.\n\nRecommendation 17:\n\nThe Office of Freedom of Information Act, Records Management and Security\nand the Office of Information Technology should update the Continuity of\nOperations Program (COOP) documents and necessary agreements to\nappropriately reflect authorized telework activities by Commission personnel\nduring unscheduled events under the COOP, disaster recovery and pandemic\nplans, including equipment that will be used for teleworking in such\ncircumstances.\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                  April 23, 2012\nReport No. 502\n                                   Page 71\n                           REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix VI\n\n\nRecommendation 18:\n\nThe Office of Freedom of Information Act, Records Management, and Security\nand the Office of Information Technology should ensure that the agency\xe2\x80\x99s\ndisaster recovery testing includes the Commissions mission essential and\nFederal Information Security Management Act reportable systems and pandemic\nplan testing is conducted on a regular basis.\n\nRecommendation 19:\n\nThe Office of Information Technology (OIT) should determine aspects of\ncontinuity of operations disaster recovery and business continuity plan testing\nthat should be conducted annually for regional offices and for Federal Information\nSecurity Management Act reportable systems based upon their security\ncategorization. OIT should ensure that this testing includes the recovery phase\nand the reconstitution phase, as well as a restoration from\n\nRecommendation 20:\n\nThe Office of Information Technology should add elements to contracts and\nservice level agreements for externally hosted systems to provide appropriate\nmethods by which the Securities and Exchange Commission (SEC) can obtain\nassurance that appropriate disaster recovery plan testing is performed on\nmission essential and Federal Information Security Management Act reportable\nsystems and to ensure the systems are able to function during unscheduled\nevents. Such measures may include SEC participation in the disaster recovery\nplan testing for the externally hosted systems and/or a review of the results of\nsuch testing.\n\nRecommendation 21:\n\nThe Office of Information Technology should include elements of testing from an\nalternate site in the regional office continuity of operations program, disaster\nrecovery, and business continuity plan testing on a periodic basis to ensure the\nnecessary capability and functionality for regional office activities are in place.\n\nRecommendation 22:\n\nThe Office of Freedom of Information Act, Records Management and Security\nand the Office of Information Technology should include designated essential\npersonnel for systems, divisions/offices, and regional offices in COOP and\ndisaster recovery testing to ensure that a trained workforce is available to support\nthe SEC\xe2\x80\x99s mission critical functions following a disaster.\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                    April 23, 2012\nReport No. 502\n                                   Page 72\n                           REDACTED PUBLIC VERSION\n\x0c                                                                     Appendix VI\n\n\nRecommendation 23:\n\nThe Office of Information Technology should ensure that system specific scripts\nand test scenarios are included in the disaster recovery and business continuity\nplan testing activities to provide assurance of system functionality at alternate\nlocations.\n\nRecommendation 24:\n\nThe Office of Freedom of Information Act, Records Management, and Security\n(OFRMS) and the Office of Information Technology (OIT) should reassess the\ndefinition of essential personnel to ensure that this designation includes only\npersonnel whose services are needed during an event to establish mission\nessential system connectivity and conduct essential activities until normal\noperations are resumed. OFRMS and OIT should also develop policies and\nprocedures to ensure that elevated communication cards are distributed only to\nnecessary personnel, cards are disabled upon an employee\xe2\x80\x99s departure from the\nagency, and all essential personnel have appropriate elevated communication\ncards.\n\nRecommendation 25:\n\nThe Office of Freedom of Information Act, Records Management, and Security, in\nconjunction with the regional offices, should specify alternate work locations for\nwhich the necessary logistics, such as memoranda of agreement, service level\nagreements, or credit card limits for hotel conference rooms or other locations,\nare arranged in advance.\n\nRecommendation 26:\n\nThe Office of Freedom of Information Act, Records Management, and Security\nshould categorize essential personnel according to necessary functions, based\non various realistic scenarios (such as Headquarters or Operations Center\nlocations becoming inaccessible or not operational, including traffic conditions\nthat would affect the scenario). Possible categories include personnel required\nfor immediate activities, personnel needed to establish connections at the\nalternate site, and personnel needed to work remotely at designated alternate\nsites such as their homes, hotels, or other specified locations.\n\nRecommendation 27:\n\nThe Office of Freedom of Information Act, Records Management, and Security,\nas part of its planning efforts, should specify when Commission personnel are to\ntelework after an event and when they must go to the designated alternate\nlocations instead of teleworking.\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                   April 23, 2012\nReport No. 502\n                                   Page 73\n                           REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix VI\n\n\nRecommendation 28:\n\nThe Office of Freedom of Information Act, Records Management, and Security\nand the Office of Information Technology should define migration paths from the\n                    should it become inaccessible and specify where the alternate\nworksite locations for the\n\nRecommendation 29:\n\nThe Office of Freedom of Information Act, Records Management, and Security\nand the Office of Information Technology, should ensure that the designated\nHeadquarters alternate worksites are ready for use and contain sufficient\nequipment and technology resources. In addition, COOP plan documentation\nshould be revised to reflect current space availability and needs, taking into\naccount the potential for telework and remote access.\n\nRecommendation 30:\n\nThe Office of Freedom of Information Act, Records Management, and Security\nand the Office of Information Technology should ensure that designated alternate\nworksite locations are visited and tested periodically to ensure ready access and\nuse. Appropriate steps should be taken to ensure that any cards or badges\nrequired for entry to alternate worksite locations are kept up to date and have not\nexpired.\n\nRecommendation 31:\n\nThe Office of Information Technology (OIT) should reinforce the need for\nSecurities and Exchange Commission (SEC) personnel and contractors to\nregister in the agency\xe2\x80\x99s emergency notification system, which is designated as\nthe primary method of notifying employees during a continuity of operations or\npandemic event. OIT should also implement procedures to ensure the removal\nof personnel from the emergency notification system after they leave the SEC.\n\nRecommendation 32:\n\nThe Office of Freedom of Information Act, Records Management, and Security\nand the Office of Information Technology should clearly define in the continuity of\noperations, disaster recovery, and business continuity plan documentation the\nalternate worksite or telework locations for both essential and non-essential\npersonnel. This documentation should also clarify whether, when relocating to\nan alternate site is required, family members may accompany Commission\nemployees and contractors to the relocation site, consistent with federal\nregulations.\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                   April 23, 2012\nReport No. 502\n                                   Page 74\n                           REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix VI\n\n\nRecommendation 33:\n\nThe Office of Freedom of Information Act, Records Management, and Security\nand the Office of Information Technology should ensure that recommendations\nmade as a result of the continuity of operations, disaster recovery, business\ncontinuity and pandemic testing are included in a management corrective action\nplan (CAP) and is maintained in the CAP until it is resolved.\n\nRecommendation 34:\n\nThe Office of Information Technology (OIT) should ensure that open POA&M\nitems from previous years are evaluated by management and final corrective\nactions are implemented to close the items.\n\nRecommendation 35:\n\nThe Office of Freedom of Information Act, Records Management, and Security\nand the Office of Information Technology should ensure that continuity of\noperations, disaster recovery, and business continuity plan training occur prior to\nannual tests exercises or events as recommended by NIST Special Publication\n800-84, Guide to Test, Training, and Exercise Programs for Information\nTechnology Plans and Capabilities, in order to ensure that individuals are\nprepared for their specific roles during a disaster recovery event.\n\nRecommendation 36:\n\nThe Office of Freedom of Information Act, Records Management, and Security, in\nconjunction with the Office of Human Resources, the Office of Information\nTechnology, and the various divisions and offices, should consider, consistent\nwith federal personnel regulations, if there is the ability to cross-train regional\noffice personnel in functions that are performed exclusively at the Commission\nHeadquarters and regional offices and, if so, should define these functions and\nimplement procedures for cross-training personnel for mission essential functions\nin the case of a COOP or pandemic event.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                   April 23, 2012\nReport No. 502\n                                   Page 75\n                           REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix VI\n\n\nRecommendation 37:\n\nThe Office of Freedom of Information Act, Records Management, and Security\nand the Office of Information Technology, in conjunction with the Office of\nAdministrative Services and the Office of the General Counsel, should document\nthat the necessary contractual agreements and/or provisions are in place to\nensure the availability of hardware, software, and services that may be required\nduring an emergency. The use of government credit cards to procure such\nequipment and services should also be considered and documented. If\ngovernment credit cards are to be used for this purpose, the authorized limits\nestablished should be sufficient for such purchases.\n\nRecommendation 38:\n\nThe Office of Freedom of Information Act, Records Management, and Security\nand the Office of Information Technology, in conjunction with the regional offices,\nthe Office of Administrative Services, the Office of Financial Management, and\nthe Office of the General Counsel, should ensure that an appropriate and\nupdated Memoranda of Agreement, Memoranda of Understanding and Service-\nLevel Agreements are executed to provide for alternate work site locations,\ncapabilities, and accommodations that may be necessary to ensure continuity of\noperations.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                   April 23, 2012\nReport No. 502\n                                   Page 76\n                           REDACTED PUBLIC VERSION\n\x0c                                                       Appendix VII\n\n\n                        Management Comments\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program    April 23, 2012\nReport No. 502\n                                   Page 77\n                           REDACTED PUBLIC VERSION\n\x0c                                                       Appendix VII\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program    April 23, 2012\nReport No. 502\n                                   Page 78\n                           REDACTED PUBLIC VERSION\n\x0c                                                       Appendix VII\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program    April 23, 2012\nReport No. 502\n                                   Page 79\n                           REDACTED PUBLIC VERSION\n\x0c                                                       Appendix VII\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program    April 23, 2012\nReport No. 502\n                                   Page 80\n                           REDACTED PUBLIC VERSION\n\x0c                                                       Appendix VII\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program    April 23, 2012\nReport No. 502\n                                   Page 81\n                           REDACTED PUBLIC VERSION\n\x0c                                                       Appendix VII\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program    April 23, 2012\nReport No. 502\n                                   Page 82\n                           REDACTED PUBLIC VERSION\n\x0c                                                       Appendix VII\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program    April 23, 2012\nReport No. 502\n                                   Page 83\n                           REDACTED PUBLIC VERSION\n\x0c                                                       Appendix VII\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program    April 23, 2012\nReport No. 502\n                                   Page 84\n                           REDACTED PUBLIC VERSION\n\x0c                                                       Appendix VII\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program    April 23, 2012\nReport No. 502\n                                   Page 85\n                           REDACTED PUBLIC VERSION\n\x0c                                                                  Appendix VIII\n\n\n      OIG Response to Management\xe2\x80\x99s Comments\n\nWe are pleased that SEC management has concurred with the 38\nrecommendations contained in this report. We believe that full implementation of\nthese recommendations will act to strengthen the SEC\xe2\x80\x99s Continuity of Operations\nProgram.\n\n\n\n\nReview of the SEC\xe2\x80\x99s Continuity of Operations Program                April 23, 2012\nReport No. 502\n                                   Page 86\n                           REDACTED PUBLIC VERSION\n\x0c                  Audit Requests and Ideas\n\nThe Office of Inspector General welcomes your input. If you would like to\nrequest an audit in the future or have an audit idea, please contact us at:\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTel. #: 202-551-6061\nFax #: 202-772-9265\nEmail: oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at SEC,\n      contact the Office of Inspector General at:\n\n      Phone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'